This is all sounding horribly familiar. Brian Krebs, a prominent cybersecurity blogger, reported on Tuesday that Home Depot had likely been hacked based on a “massive” batch of stolen credit and debit card data appearing for sale online. Krebs, if you remember, also broke the news that Target had suffered a breach last December.
The data in question are being sold on the same site, rescator.cc, that hawked Target’s stolen data, Krebs said, indicating that it may be the same group behind both breaches. The names of the batches currently for sale—“American Sanctions” and “European Sanctions”—spurred Krebs to speculate that this hack is intended as retribution for penalties imposed on Russia in reaction to its actions in Ukraine. The intrusion into Home Depot may date as far back as late April, suggesting the breach could be larger than Target’s.
Home Depot confirmed that it was looking into unusual activity and would make sure customers were notified if the company identified a breach, according to Bloomberg News.
Now comes the gold rush. Daniel Ingevaldson, chief technology officer at Easy Solutions, which provides anti-fraud services to banks, says stolen card data that went up today on Rescator are commanding prices of $50 to $100 each. The website, known for its ease of use, has become the clearinghouse for the largest breaches, selling hundreds of thousands of cards at a time. But it’s been in and out of service, according to Ingevaldson, which may be a sign of extremely high demand for the data. Cybercriminals want to get them while they’re fresh, before banks have defenses in place for the breach, and their enthusiasm might be overwhelming Rescator like shoppers on Black Friday. It’s also possible that rival cybercriminals are attacking the website, he says, forcing it offline to stall sales.
Although it all sounds sadly familiar, banks and companies have learned from the steady drumbeat of breach reports over the past year. The window of opportunity to profit from stolen card data has definitely shrunk, Ingevaldson says, and more banks have been monitoring the black market themselves—mimicking Krebs and others—to get an earlier warning when card data have been stolen.