Home Depot: 56 Million Cards

The registers had been compromised for five months before anyone knew.

Between April and September 2014, customers at The Home Depot — the largest home improvement retailer in the United States, with 2,200 stores and $83 billion in annual revenue — were unknowingly handing over their payment card data to a criminal network operating from Eastern Europe. At 7,500 self-checkout terminals across Home Depot’s North American stores, a piece of malware called Memory Parser was watching every swipe. Reading the card data in the instant before it was encrypted. Copying it silently into a collection buffer.

When the breach was finally discovered in September 2014, the scale was staggering: 56 million payment card numbers from the registers, plus 53 million customer email addresses from a separate database. It was the largest retail payment card breach in history at the time — eclipsing even the Target breach of eight months earlier that had shaken the retail industry to its foundations.

The method was almost identical to Target. The criminal network was almost certainly the same. The lessons of Target had not been learned.

Threat Actor Profile: Rescator Network

Handle: Rescator
Real Name (alleged): Andrei Hodirevski; Ukrainian national; alleged connections to Eastern European organized cybercrime. Attribution is drawn from investigative journalism, including research by security journalist Brian Krebs, blockchain analysis, and law enforcement findings across multiple jurisdictions.
Role: Operator of the underground carding marketplace where stolen card data from Home Depot was sold — under the brand “European Sanctions” — beginning September 2014. Rescator functions as both a technical coordinator and the retail distribution point for large-scale payment card theft operations.
Status: No confirmed arrest or extradition at time of writing.

Notorious Operations:

• Target (November–December 2013): Forty million payment card numbers stolen from 1,800 stores during the peak holiday shopping period. The first major modern POS malware campaign to demonstrate the industrialized retail card theft pipeline.
• Home Depot (April–September 2014): The operation described above. Fifty-six million payment cards from self-checkout terminals. Five months of undetected operation. The largest retail breach of the era.
• Neiman Marcus (2013): A parallel operation against the luxury retailer yielded approximately 1.1 million payment card records using similar RAM-scraping tradecraft during the same holiday season as Target.

The Setup: What the Target Breach Did Not Change

It is difficult to understand the Home Depot breach without first confronting an uncomfortable fact: it happened eight months after Target.

The Target breach of November 2013 had been a public catastrophe. The story was front-page news for weeks. The Target CEO resigned. Congress held hearings. The payment card industry issued urgent guidance. The security community published exhaustive post-mortems on exactly how BlackPOS RAM-scraping malware worked, how it was installed via vendor credentials, and how to detect it.

And yet.

Home Depot’s self-checkout terminals ran Windows XP Embedded — an operating system that Microsoft had ended mainstream support for in January 2014, the same month Target’s breach was fully understood. The company had begun a project to upgrade to Windows 7 and deploy Point-to-Point Encryption (P2PE) — technology that would encrypt card data before it ever reached system memory, making RAM-scraping impossible — but the project was not complete. It would not be complete before the attackers arrived.

The gap between understanding that you are vulnerable and actually becoming secure is the window that sophisticated adversaries routinely exploit. Home Depot’s window was five months.

The Intrusion: Vendor Credentials, Again

The entry vector bore unmistakable resemblance to Target: a third-party vendor credential.

Home Depot’s network, like those of most major retailers, was accessible to contractors and service providers who needed remote access for legitimate business purposes. The attackers obtained valid credentials for one of these vendor accounts — the precise method of acquisition was not publicly confirmed by investigators, but the pattern was consistent with the phishing and credential theft operations that the Rescator network had previously deployed against Target’s supply chain.

With a legitimate credential, the attackers signed in. They were inside.

From the vendor’s limited access foothold, the attackers moved laterally through Home Depot’s corporate IT environment over a period of weeks, escalating privileges and mapping the internal network. Their target was the POS network — the systems running the self-checkout registers across every Home Depot store in North America.

To reach it, they exploited a vulnerability in Windows XP Embedded on the in-store systems — a zero-day or an unpatched known vulnerability, the exact nature of which Home Depot’s internal investigation and subsequent disclosure did not fully specify. What is confirmed: by April 2014, they had successfully deployed malware across Home Depot’s POS infrastructure.

Memory Parser: The Malware That Evaded Everything

The malware used in the Home Depot attack was not the same BlackPOS variant used at Target. It was a custom-built successor — internally referred to as “Memory Parser” by the attackers — and its most important capability was not theft. It was invisibility.

After the Target breach, every major antivirus vendor had updated their detection signatures to catch BlackPOS. The Rescator network, aware of this, had built an entirely new tool. Memory Parser was not yet in any antivirus database when it arrived on Home Depot’s terminals. Security tools at the retailer’s stores scanned it and found nothing wrong.

The malware’s function was elegant in its simplicity:

RAM Scraping: When a customer swipes a card at a POS terminal, the card data briefly passes through the machine’s memory in unencrypted form — for a fraction of a second, the full magnetic stripe data exists as plaintext before being encrypted and sent downstream for authorization. Memory Parser monitored this window continuously, reading the card number, expiration date, and cardholder name from RAM in real time, and silently writing each captured record to an encrypted collection file on the local system.

Exfiltration Architecture: Unlike some cruder POS malware, Memory Parser did not immediately attempt to push stolen data off the network. Instead, it collected card records locally and staged them on internal collection servers within Home Depot’s corporate network — FTP servers that the attackers had either compromised or set up within the environment. From these internal staging points, data was periodically pushed to external servers under the attackers’ control. This two-stage exfiltration reduced the likelihood of detection by perimeter security tools watching for unusual outbound traffic from individual registers.

Over five months, Memory Parser harvested card swipes at approximately 7,500 self-checkout terminals across roughly 2,200 stores. The scale of the collection — 56 million cards — was the largest in retail history precisely because the terminals kept running, kept accepting cards, and kept copying the data while Home Depot’s security systems remained silent.

The Discovery: The Carding Market Gave It Away

Home Depot did not discover its own breach from internal security monitoring. It discovered it because Brian Krebs did.

On September 2, 2014, the investigative security journalist — the same reporter who had broken the Target breach — received a tip from banking fraud investigators who had noticed a massive new batch of stolen payment cards appearing on underground carding markets. The batch, labeled “European Sanctions” by the seller Rescator, was clearly new material — cards that had not appeared in prior breaches. The banking investigators noticed that many of the cards shared a common denominator: recent use at Home Depot locations.

Krebs contacted Home Depot. The retailer acknowledged it was investigating. On September 8, Home Depot confirmed the breach publicly, describing it as an ongoing investigation into “unusual activity.”

The company immediately launched a forensic investigation, eventually bringing in FireEye — the same firm that had responded to Target — to assist. The findings were grim: Memory Parser had been present and operational on Home Depot’s registers since April 2014. Five months of continuous operation, completely undetected.

The Scale and the Fallout

The final tally made Target look small.

56 million payment card numbers. Every major U.S. bank that processed Home Depot transactions had customers affected. Citigroup, JPMorgan Chase, Wells Fargo, and Bank of America collectively reissued millions of cards. The cost of card reissuance alone — estimated at approximately $15 per card — ran into the hundreds of millions across the financial sector.

53 million email addresses. A separate portion of the attack, apparently executed by the same intrusion but distinct in its targeting, exfiltrated a database of customer email addresses. This data appeared separately from the payment card dump and was used in a subsequent wave of phishing campaigns targeting Home Depot customers.

The five major U.S. banks most heavily impacted estimated $3 billion in fraud losses related to all 2014 retail breaches collectively, with Home Depot representing the largest single source.

Home Depot settled a class-action lawsuit brought by financial institutions for $134.5 million. It reached a separate settlement with retail banking regulators for additional amounts. The company spent over $179 million in total on breach-related costs, including remediation, legal fees, and settlements — though this figure excludes the broader costs borne by banks and card issuers.

The company’s CISO, Rona Fairhead, was not employed at Home Depot during the breach (Home Depot did not have a CISO at the time of the intrusion). The absence of that role — of a single executive accountable for enterprise security — was itself cited as a contributing factor in subsequent analyses.

The Technology Response: P2PE, EMV, and the End of Magnetic Stripe Dominance

Home Depot’s breach, combined with Target’s, created an inflection point for the U.S. payments industry that had been resisted for years.

EMV chip cards — the standard used across Europe and much of the world that generates a unique transaction code for each purchase, making the stolen magnetic stripe data useless for card cloning — had been adopted internationally as far back as the mid-2000s. The U.S. payments industry, citing the cost of infrastructure replacement, had consistently delayed adoption. The Target and Home Depot breaches ended the debate.

In October 2015 — fourteen months after the Home Depot breach was confirmed — U.S. card networks’ EMV liability shift went into effect. Merchants who had not upgraded to chip-capable terminals assumed liability for counterfeit card fraud. The magnetic stripe era in U.S. retail effectively ended within years.

Home Depot itself deployed EMV chip card readers across all its U.S. stores by December 2014 — before the liability shift, as a direct response to the breach. It completed the rollout of P2PE encryption across its POS terminals by 2015.

The memory that Memory Parser exploited — the window of unencrypted data that exists when a magnetic stripe card is swiped — was closed. But only after 56 million cards had passed through it.

---

Attack Chain: Home Depot — Memory Parser POS Malware

graph TD
    A["🐟 Rescator Network\n(Eastern European Cybercrime)"] --> B["Reconnaissance\nHome Depot Vendor Ecosystem\n& Network Architecture"]

    B --> C["Credential Acquisition\nThird-Party Vendor Account\n(Phishing or dark web purchase)"]

    C --> D["Initial Access\nHome Depot Corporate IT Network\nvia Vendor Remote Access\nApril 2014"]

    D --> E["Lateral Movement\nPrivilege Escalation\nCorporate IT → Store POS Network\n(Windows XP Embedded vuln)"]

    E --> F["Memory Parser Malware\nCustom BlackPOS Variant\nNot in any AV signature DB\nEvades all endpoint detection"]

    F --> G["Deployed to\n~7,500 Self-Checkout\nTerminals\nAll North American Stores"]

    G --> H["RAM Scraping Loop\nCaptures Track 2 Data\nfrom memory at moment\nof card swipe"]

    H --> I["Local Collection\nEncrypted staging files\nper terminal"]

    I --> J["Internal Staging Servers\nData aggregated within\nHome Depot network"]

    J --> K["Exfiltration\nPeriodic push to\nexternal attacker FTP\nservers — Eastern Europe"]

    K --> L["5 Months Undetected\nApril → September 2014"]

    L --> M["56M Payment Cards\n53M Email Addresses\nContinuously harvested"]

    M --> N["'European Sanctions' Batch\nPosted on Rescator's\nCarding Market\nSept 2, 2014"]

    N --> O["Brian Krebs\nTipped by Bank\nFraud Analysts\nSept 2, 2014"]

    O --> P["Home Depot Confirms\nBreach Publicly\nSept 8, 2014"]

    P --> Q["Forensic Investigation\nFireEye Engaged"]

    Q --> R["🔴 Impact"]
    R --> R1["56M Cards — Largest\nRetail Breach in History"]
    R --> R2["$179M+ Home Depot\nSettlements & Costs"]
    R --> R3["$3B Estimated Fraud\nLosses Across Banking Sector"]
    R --> R4["Millions of Cards\nReissued by Major Banks"]

    P --> S["Industry Response"]
    S --> S1["EMV Chip Readers\nHome Depot Dec 2014"]
    S --> S2["P2PE Encryption\nDeployed 2015"]
    S --> S3["EMV Liability Shift\nOct 2015 — US Industry\nAdopts Chip Standard"]
    S --> S4["Magnetic Stripe Era\nEffectively Ends in US Retail"]