The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
If you’re one of the millions of folks who used a payment card at a Home Depot store this past spring or summer your identity may be at risk. I asked Chris Camejo, director of assessment services at NTT Com Security, to outline the go-forward ramifications of the Home Depot breach for the victims and future Home Depot customers as well.
Byron Acohido: What should anyone who shopped at Home Depot in the past few months expect next?
Chris Camejo: Home Depot’s customers should be checking their credit and debit card statements carefully to make sure there are no fraudulent purchases or withdrawals, and they shouldn’t be surprised if their card gets shut off and/or replaced with little or no notice. I’m sure Home Depot and the banks are frantically trying to identify those accounts so that they can cancel the stolen cards before they lose any more money to fraud.
BA: What are the data thieves up to?
The thieves are selling the stolen cards on black market websites right now. At this point it’s basically a race to see how many fraudulent transactions the carders can run through before the banks figure out which cards were affected and replace them. I’m sure Home Depot and the banks are frantically trying to identify those accounts so that they can cancel the stolen cards before they lose any more money to fraud.
BA: How useful are the free consulting services merchants offer to customers when a big breach gets disclosed?
Camejo: Home Depot is offering the usual “free identity theft monitoring” which is pointless in a way. Identity theft monitoring is to check if someone is opening new lines of credit in your name which would require a Social Security number. There’s no need to do that when the attacker has stolen the line of credit you’ve already opened.
BA: Home Depot must now meet data loss disclosure laws in 47 states. How onerous is that going to be?
Camejo: Most of the laws are fairly similar, so notifying people shouldn’t be too bad once they actually identify all of the people who were affected. One of the loopholes in the disclosure laws is that the disclosure can be delayed if requested by law enforcement and the Secret Service typically gets involved in these big fraud cases. I wouldn’t be surprised if much of the information is kept under wraps so that they can try to nail the perpetrators.
BA: So far Target, P.F. Chang’s, UPS, Goodwill, Sally Beauty, Michael’s, Neiman Marcus and now Home Depot have disclosed breaches. What does this suggest about the true scope of breaches of major chains?
Camejo: It’s not very surprising. Big companies handle lots of transactions and are therefore enticing targets, (and) it takes much less effort to break into one network and steal 40 million accounts than it does to break into 400 networks and steal 100,000 accounts each. These large companies are also at a disadvantage because they’re so big: Every system that is attached to a network is another potential vulnerability that can be exploited, and these big companies likely have many more systems than small and medium merchants.
BA: Anything else?
Camejo: Home Depot and Target are moving to chip-and-PIN payment systems. Unfortunately this alone won’t solve much. Chip cards send their data to the terminal unencrypted just like magstripe cards and could be captured in nearly the same way. The captured card data may not be usable at another chip-and-PIN merchant, but it can be used to make online purchases or cloned onto a magstripe card and used at a merchant that doesn’t support chip-and-PIN.
Image: iStock
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams