Home Depot has issued a statement today that provides more details about their recent breach, as well as indicating that the malware used by the attackers has now been removed from their systems. This breach appears to be even larger than Target’s, as it exposed payment information for 56 million customers in their US and Canada locations. The full extent of what data was lost has not yet been determined.
This breach apparently began in April, and continued until September. If you shopped in a Home Depot store during that period of time, you may be wondering how to identify or mitigate problems caused by this breach. Here are a few steps you can take now:
Check your account for suspicious activity
The first, and most important thing you can do is to check the transactions for the credit and debit cards you used at Home Depot stores during this time period. If you see activity that you do not recognize, it is important that you notify the card issuer immediately. Keep in mind that the criminals may not use or sell all of the stolen data right away (in order not to flood the market and devalue the data, they may sell it over the course of several months). You will need to be vigilant with these accounts for a while.
Ask for a replacement debit/credit card
If you would rather not wait for the hammer to drop on criminals potentially selling your stolen data, especially if the card in question is a debit card that pulls funds directly from your bank account, you may wish to ask for a replacement card. Keep in mind that if you have any auto-pay accounts that reference this account number, you will need to update that information. By asking for a replacement card, you will have more outlay of time now, in the hopes of preventing a bigger outlay of time in the future, if your card data does get stolen. The Federal Trade Commission (FTC) offers a lot of advice on dealing with lost or stolen cards.
Choose a stronger debit PIN
If the card that was used was a debit card, you may wish to change your PIN. While it not yet known whether the criminals have stolen this information, many people use weak PINs that are easy to guess. Making this change is a small step that can greatly improve your security.
Check your credit report
Criminals could take the data they have stolen and combine it with other data to wreak more havoc. It is a good idea to regularly monitor your credit report, to identify and then report any fraudulent transactions. The FTC has a helpful website for those looking for tips on how to (safely) get a free credit report, including contact information for the three credit reporting agencies. You may also want to look into setting up a fraud alert or a credit freeze if you want additional protection against fraudsters trying to get credit in your name. Be aware that these steps will also mean you have to go through additional verification if you wish get credit, for the duration of the alert or freeze.
Change your HomeDepot.com password
There is no indication that HomeDepot.com was compromised, but this incident is a good reminder to be vigilant about choosing strong passwords and changing them often.
Beware of scams
Criminals are aware that people will be feeling especially anxious about their security and privacy as a result of this incident. This could lead to other scams. Some folks may, ironically, be more apt to fall for social engineering tactics that prey on this fear of their cards being compromised. Be sure not to click on links in emails purporting to come from businesses using this angle, especially if they appear suspicious in any way. Instead, you should type the expected URLs into your browser directly to contact companies.
Author Lysa Myers, ESET