A Russian black marketeer is selling more than 52,000 credit and debit card numbers believed to have been stolen from Home Depot stores in Maine as part of a suspected nationwide data breach at the retail chain.
The latest suspected breach is another sign that banks and retailers need to implement better security technology, consumer advocates in Maine said.
A black market website listed the stolen card numbers for sale Tuesday, allowing buyers to search for card data according to variables such as the issuing bank and the store location where the card was used.
The site is operated by a well-known Russian hacker named Rescator, who is believed to have been responsible for last year’s data breach at Target stores.
The total amount of U.S. card numbers for sale since the suspected Home Depot breach is unknown, but it is believed to be in the tens of millions, according to security analysts. About 40 million numbers were stolen in the Target breach, they said.
Home Depot had not yet confirmed as of late Thursday that the latest batch of stolen card numbers came from its stores, and no information was available about the time frame in which the theft occurred. However, the 11 ZIP codes from which the 52,350 Maine card numbers were stolen correspond with the retailer’s 11 stores in the state.
The same pattern holds true nationally, said security analyst and blogger Brian Krebs, who broke the story about the suspected Home Depot breach on his website, krebsonsecurity.com. According to Krebs, it appears that at least 99 percent of Home Depot’s roughly 2,200 U.S. stores were affected.
A Press Herald analysis of the black market site found that the greatest volume of card numbers from Maine appears to have been stolen from the Home Depot in South Portland (7,900), followed by Biddeford (6,800) and Topsham (6,550). It is likely the theft numbers at those stores are even higher because the black marketeer’s website limits card number searches – which can be done using different criteria such as card type, issuer and expiration date – to 1,650 results.
The card data was posted to the Russian site in large batches known as “dumps,” each with its own designated name. The dumps containing Maine credit and debit card numbers are named “Desert Strike,” “American Sanctions” and “Eagle Claw.”
Rescator is a known hacker who is active on the digital underground forum Lampeduza, a gathering place for hackers and other cybercriminals. The Press Herald declined to publish the address of his website because it is a criminal enterprise and the danger to those who visit the site is unknown.
Any visitor to the website can register and browse the database. Each listing shows the first six digits of the card number. The bank identification number, or BIN, identifies the issuing bank.
Also listed is the name of the bank; the card expiration date; whether it is a consumer, business, debit, credit, gold or platinum card; and the location from which the numbers were stolen. Location is important to thieves, because banks often flag a transaction as potentially fraudulent if it is made far from where the card is customarily used.
Each listing also indicates whether the data include detailed “Track 1” information, such as the cardholder’s name and a security code embedded in the card’s magnetic strip.
Finally, the website lists the asking price for each card’s data, which in most cases is between $6 and $60. The online purchaser can buy multiple items via a shopping-cart system typical of e-commerce websites.
To make a purchase, a buyer must send money to Rescator and his accomplices, either via a virtual currency such as Bitcoin or a wire transfer via Western Union.
The Maine Bureau of Consumer Credit Protection has been receiving calls from concerned residents, but has not yet heard any reports of fraudulent activity as a result of the suspected Home Depot breach, said William Lund, the bureau superintendent.
“There is no need for consumers to panic,” Lund said. In most cases the issuing bank will cover any losses to the card holder if fraudulent activity is reported in a timely manner, he said.
But retailers and banks aren’t likely to take the news so calmly, Lund said. The string of recent data breaches at major retailers such as Target, Neiman Marcus and Shaw’s is likely to put added pressure on them to upgrade their security systems, he said.
“This is going to push the implementation of the more protective technology that’s been in existence for many years now,” he said.
The banking industry already has given retailers a 2015 deadline to begin implementing next-generation card readers that scan an embedded microchip in the card for added security. Still, it will take time for banks to issue the new chip-embedded cards to everyone, and for retailers to replace their existing scanners with the more sophisticated ones, Lund said.
“It’s going to be a bumpy transition,” he said. “You can’t snap your fingers and have the cards and the reader technology all at once.”
In the meantime, consumers should examine their card transaction records regularly and immediately report suspected fraud to their bank, said Martha Currier, complaint examiner for the Maine Office of the Attorney General’s Consumer Protection Division.
The sheer volume of Mainers’ stolen card numbers for sale means every consumer needs to remain vigilant, Currier said.
“Pretty much everyone you know has been breached,” she said.
Currier does not believe it’s necessary for every Home Depot shopper to cancel their cards and order new ones. The retailer has said this week that it is investigating the matter and will offer free credit monitoring to all affected customers if a breach is confirmed.
As hacking technology and techniques continue to advance, data heists are becoming increasingly commonplace, Currier said. At this point, it probably isn’t practical to have cards replaced every time a new breach is discovered, she said.
“Because if you did, you might be doing this every day,” Currier said.
Send questions/comments to the editors.
Comments are no longer available on this story