Fraudulent Transactions Surface in Wake of Home Depot Breach

Wall Street Journal – by Robin Sidel

A large data breach at Home Depot Inc. HD +1.67% has started to trigger fraudulent transactions that are rippling across financial institutions and, in some cases, draining cash from customer bank accounts, according to people familiar with the impact of the hacking attack.

The fraudulent transactions are showing up across the U.S. as criminals use stolen card information to buy prepaid cards, electronics and even groceries, these people said. In some cases, the fraudulent transactions have been tracked to batches of cardholder accounts that are tied to specific ZIP Codes, they said.  

Financial institutions also are stepping up efforts to block the transactions by rejecting them if they appear unusual. Home Depot has said that 56 million cards may have been exposed in a five-month attack on its payment terminals.

The trends are all too familiar to thousands of the nation’s financial institutions, which have spent much of the year trying to root out fraudulent transactions tied to breaches at merchants like Target Corp., Neiman Marcus Group Ltd., grocer Supervalu Inc. and Asian restaurant chain P.F. Chang’s China Bistro Inc.

Home Depot disclosed the breach this month, prompting banks and credit unions to start scouring debit-card and credit-card transactions for signs of fraud that could be tracked to the do-it-yourself home-repair company.

The size of the Home Depot breach makes the attack significantly larger and lengthier than the 40 million cards that were compromised in the Target hacking that occurred in the three weeks leading up to Christmas last year.

It still is too early to tell how many instances of fraud will eventually be traced to the Home Depot breach. The flood of recent incidents across numerous retailers means that cardholders may have shopped at more than one merchant that had been attacked, making it difficult to decipher which fraudulent transaction is tied to which breach. Banks also may have found fraudulent transactions stemming from the Home Depot hacking before they were aware that the breach had occurred.

Following the Home Depot disclosure,Visa Inc. V +0.92% and MasterCard Inc.,MA +2.04% the networks that process card transactions, issued alerts to thousands of financial institutions, telling them to be on the lookout for fraudulent transactions. The networks have told banks that stolen information included account numbers, cardholder names and card-expiration dates—data that is needed to produce counterfeit cards—according to people familiar with the alerts.

Fraud losses from existing bank accounts and credit-card accounts rose 45% last year to $16 billion, according to Javelin Strategy & Research, a consulting firm that is a unit of Greenwich Associates LLC.

Customers aren’t responsible for unauthorized transactions, but they are usually required to provide paperwork denying they made the purchase. Financial institutions are typically on the hook for fraud costs associated with breaches, although the merchant sometimes eventually reimburses lenders for some of those costs.

Some large financial institutions, including J.P. Morgan Chase JPM +1.13% & Co. andCapital One Financial Corp. COF +0.45% , have proactively started reissuing cards to customers whose data were exposed in the Home Depot attack. Other lenders are reissuing cards only when they see fraud attempts.

Representatives of large banks were reluctant to discuss the fallout from the attack, saying they didn’t want to appear vulnerable to hackers. A spokesman for Home Depot declined to comment on any fraudulent activity tied to its breach.

The amount of fraud and the type of illicit transactions aren’t significantly different from activity that has followed other large attacks, said people familiar with the transactions. That could change quickly, however, in coming weeks, they said.

Air Academy Federal Credit Union has caught roughly $20,000 worth of attempted fraudulent transactions tied to cards that were exposed from the Home Depot breach, said Brad Barnes, chief financial officer at the credit union in Colorado Springs, Colo.

“It’s not huge, but for a three-week period it’s a big start,” he said. The credit union has beefed up staffing in its fraud department, particularly on weekends when criminals often try to use counterfeit cards.

Banks are seeing fraudulent activity that stems from cards that were used both at Home Depot’s traditional cashier lines and self-service checkout lanes, according to a person at a large bank who is familiar with the fraudulent activity. Much of the fraud or attempted fraud is occurring within the U.S., said another person at a different financial institution.

Jessica McFarland was home in Kalama, Wash., on Saturday afternoon when she received a fraud text alert from her credit union, asking if she was buying groceries in San Francisco with her debit card. The 26-year-old waitress and college student responded immediately, saying she didn’t make the purchase.

The credit union froze her card, but not before $300 had already been siphoned from her account to pay for the groceries. To make matters even more frustrating, the crooks were still trying to buy more groceries with her card even while she was on the phone with the credit union.

“I’m just thankful it got caught, but this is definitely one of the most vulnerable feelings I’ve ever had,” said Ms. McFarland, who last shopped at Home Depot a few months ago. She plans to use her credit card to buy books for school while she waits for a new debit card to arrive in the mail.

Write to Robin Sidel at robin.sidel@wsj.com

http://online.wsj.com/news/article_email/fraudulent-transactions-surface-in-wake-of-home-depot-breach-1411506081-lMyQjAxMTI0NTI4NDQyODQwWj