What's Next for Home Depot Customers

If you’re one of the millions of folks who used a payment card at a Home Depot store this past spring or summer your identity may be at risk. I asked Chris Camejo, director of assessment services at NTT Com Security, to outline the go-forward ramifications of the Home Depot breach for the victims and future Home Depot customers as well.

Byron Acohido: What should anyone who shopped at Home Depot in the past few months expect next?

Chris Camejo: Home Depot’s customers should be checking their credit and debit card statements carefully to make sure there are no fraudulent purchases or withdrawals, and they shouldn’t be surprised if their card gets shut off and/or replaced with little or no notice. I’m sure Home Depot and the banks are frantically trying to identify those accounts so that they can cancel the stolen cards before they lose any more money to fraud.

BA: What are the data thieves up to?

The thieves are selling the stolen cards on black market websites right now. At this point it’s basically a race to see how many fraudulent transactions the carders can run through before the banks figure out which cards were affected and replace them. I’m sure Home Depot and the banks are frantically trying to identify those accounts so that they can cancel the stolen cards before they lose any more money to fraud.

BA: How useful are the free consulting services merchants offer to customers when a big breach gets disclosed?

Camejo: Home Depot is offering the usual “free identity theft monitoring” which is pointless in a way. Identity theft monitoring is to check if someone is opening new lines of credit in your name which would require a Social Security number. There’s no need to do that when the attacker has stolen the line of credit you’ve already opened.

BA: Home Depot must now meet data loss disclosure laws in 47 states. How onerous is that going to be?

Camejo: Most of the laws are fairly similar, so notifying people shouldn’t be too bad once they actually identify all of the people who were affected. One of the loopholes in the disclosure laws is that the disclosure can be delayed if requested by law enforcement and the Secret Service typically gets involved in these big fraud cases. I wouldn’t be surprised if much of the information is kept under wraps so that they can try to nail the perpetrators.

BA: So far Target, P.F. Chang’s, UPS, Goodwill, Sally Beauty, Michael’s, Neiman Marcus and now Home Depot have disclosed breaches. What does this suggest about the true scope of breaches of major chains?

Camejo: It’s not very surprising. Big companies handle lots of transactions and are therefore enticing targets, (and) it takes much less effort to break into one network and steal 40 million accounts than it does to break into 400 networks and steal 100,000 accounts each. These large companies are also at a disadvantage because they’re so big: Every system that is attached to a network is another potential vulnerability that can be exploited, and these big companies likely have many more systems than small and medium merchants.

BA: Anything else?

Camejo: Home Depot and Target are moving to chip-and-PIN payment systems. Unfortunately this alone won’t solve much. Chip cards send their data to the terminal unencrypted just like magstripe cards and could be captured in nearly the same way. The captured card data may not be usable at another chip-and-PIN merchant, but it can be used to make online purchases or cloned onto a magstripe card and used at a merchant that doesn’t support chip-and-PIN.