Anatomy of a Breach

Anatomy of a Breach: Home Depot — 56 Million Cards Stolen Over Five Months via Custom POS Malware

> series: anatomy_of_a_breach —— part: 069 —— target: home_depot —— cards: 56,000,000 —— dwell_time: 5_months<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2014 13 min read
data-breach home-depot pos-malware payment-cards 56-million supply-chain retail series
Breach #069

56 million cards. Five months. 2,200 stores. They used the same playbook as Target.

On 8 September 2014, Home Depot confirmed that its payment systems had been breached, resulting in the theft of approximately 56 million payment card numbers and 53 million email addresses. The breach had been active from April to September 2014 — five months of undetected data exfiltration across 2,200 stores in the United States and Canada. The attack was first reported by security journalist Brian Krebs, who noted that the attackers used a variant of the same custom POS malware — BlackPOS — that had been deployed in the Target breach nine months earlier.

The parallels with Target were striking: both breaches began with stolen vendor credentials, both involved lateral movement from the vendor access point to the POS environment, both deployed custom malware to capture card data at the point of sale, and both went undetected for months. Home Depot's breach was actually larger than Target's in card volume (56 million vs 40 million) and lasted longer (five months vs three weeks). The total cost to Home Depot exceeded $179 million in settlements and remediation.

Target's Lessons Not Learned
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Nine months after Target — the same attack, the same failures.

The Home Depot breach occurred nine months after the Target breach was disclosed — and used the same attack methodology. The security community had published extensive analysis of the Target breach, the POS malware used, and the vendor access vulnerabilities exploited. Yet Home Depot fell to the same attack pattern, demonstrating that awareness of a threat does not automatically translate into protection against it.

Vendor Credentials — Again
Like Target, the entry point was stolen vendor credentials. The lesson that third-party access must be secured with MFA, monitored, and segmented from payment systems had been stated clearly by every security firm that analysed Target. Home Depot had not implemented these controls. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses vendor segmentation and access controls.
POS Malware — Same Family
The attackers deployed a variant of BlackPOS — the same malware family used against Target. The malware captured card data from the memory of POS terminals during transaction processing. Our <a href="/penetration-testing/pci-dss">PCI DSS penetration testing</a> assesses POS environment security and the controls that prevent malware deployment.
Five Months Undetected
The breach ran from April to September 2014 — five months of active data theft across 2,200 stores without detection. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7 monitoring that detects the data exfiltration patterns, unusual network traffic, and malware command-and-control communications that POS breaches produce.
Self-Checkout Terminals Targeted
The malware was deployed specifically on self-checkout systems — terminals that process high volumes of transactions with minimal staff oversight. The self-checkout targeting demonstrated that attackers optimise for the highest data yield with the lowest detection risk. <a href="/blog/sector-under-the-microscope-retail">Our retail sector analysis</a> examines POS security in depth.
Lessons

Knowing about Target's breach did not prevent Home Depot's.

The Home Depot breach is the clearest possible demonstration that knowledge without action is worthless. Every retailer in the world knew about the Target breach by January 2014. The attack methodology was public, the malware was analysed, and the defensive recommendations were clear. Nine months later, Home Depot fell to the same attack. The difference between knowing about a threat and being protected against it is implementation — tested, verified, monitored implementation.

Our PCI DSS penetration testing validates that POS security controls are implemented, not just documented. Infrastructure testing verifies vendor segmentation. Cyber Essentials mandates MFA and access controls. SOC in a Box for Retail monitors POS environments continuously. And UK Cyber Defence provides incident response when a POS compromise is detected.

Retail POS Security

Target was breached in November 2013. Home Depot was breached in April 2014. Have you tested yet?

Our <a href="/penetration-testing/pci-dss">PCI DSS testing</a> validates POS security. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> verifies vendor segmentation. <a href="https://www.socinabox.co.uk/sectors/retailers">SOC in a Box for Retail</a> monitors continuously.

Commission a PCI DSS Test Next: Shellshock
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2013

Anatomy of a Breach: Target — 110 Million Customers Compromised Through an HVAC Contractor

Breach #059. On 19 December 2013, Target Corporation disclosed that attackers had stolen the payment card data of approximately 40 million customers — later revised to include personal information for 70 million more, totalling 110 million affected individuals. The attackers had gained initial access through stolen credentials from Fazio Mechanical Services — Target's HVAC contractor — then moved laterally through the network to install card-skimming malware on point-of-sale systems across 1,797 stores. The supply chain breach that proved your security is only as strong as your air conditioning vendor.

data-breach target
14 min read
Anatomy of a Breach 30 September 2009

Anatomy of a Breach: Network Solutions — 573,000 Cards Stolen from Small Business Websites

The ninth instalment of our Anatomy of a Breach series. In 2009, attackers planted malicious code on Network Solutions' e-commerce hosting servers, silently diverting payment card data from 4,343 small business merchant websites to a rogue server for three months. 573,928 cardholders were compromised — and the small businesses whose customers were affected had no idea it was happening on their hosting provider's infrastructure.

data-breach network-solutions
12 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
All Posts Get in Touch