Credit and debit card numbers stolen from Wisconsin stores during the recent Home Depot data breach are now on the black market. Credit: Associated Press

By of the

More than 282,000 credit and debit card numbers stolen from Wisconsin stores during the recent Home Depot data breach have been offered for sale on the black market, a Milwaukee Journal Sentinel investigation has found.

The company said Thursday that the data breach had exposed an estimated 56 million payment cards, eclipsing the Target data breach, which involved 40 million cards. The malware that caused the breach has now been eliminated, the company said in a news release.

Home Depot has not disclosed which locations were affected, but the Journal Sentinel examination found credit card numbers were breached at all of the company's 26 Wisconsin locations.

In less than a minute, the Journal Sentinel — legally and without payment — gained access to the underground website on which the card numbers are for sale. It's the same group that sold millions of card numbers stolen in the Target breach last year.

The site caters to criminals looking to buy card numbers they can use to withdraw cash or buy electronics and gift cards. It lets potential buyers browse credit and debit cards by type, expiration date, name of the financial institution that issued the card and location of the Home Depot store where the card was compromised.

Hackers provide the full card number and name of the cardholder when purchased. The Journal Sentinel did not seek or gather that information.

As of Thursday, the seller of the stolen card numbers still guaranteed a valid rate of 100%, something hackers promise only when they're confident the cards have not yet been canceled. The validity rate falls over time.

"When they're 100% valid, that's an indicator that the merchant hasn't fixed the problem yet," said Brian Krebs, the cybersecurity reporter who broke the stories on the breaches at Target and Home Depot. "It's a live breach."

Krebs, a former Washington Post reporter who runs a website focused on cybersecurity, told the Journal Sentinel that hackers use compromised business accounts to run checks on cards to find out which ones are still valid.

Banks and law enforcement officials were alerted to the breach Sept. 2 when hackers advertised the first two batches of cards stolen for sale on the underground website. Banks and investigators found a 99% overlap between the locations where cards were hacked and Home Depot stores and tipped off the company.

Hackers caused last year's data breach at Target by installing malware that captured credit and debit card information when customers swiped their cards at the cash registers. The malware used in the Home Depot hack also captured information at the payment terminals.

On Thursday, Krebs reported that the investigation was centered on self-checkout lanes.

Home Depot spokeswoman Paula Drake said in an interview that as soon as the company was notified, it took steps to deal with the malware.

"To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements," the company said in a news release Thursday. "The hackers' method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores."

The encryption, which Home Depot said scrambles raw payment information to make it unreadable and virtually useless to hackers, was completed in U.S. stores Sept. 13.

Krebs told the Journal Sentinel that suspected breaches were reported through Sept. 7.

That means cards may have been compromised for at least several days after Krebs first reported Sept. 2 that the Home Depot was investigating "unusual activity" and after Home Depot officials confirmed Sept. 8 that a breach had occurred.

The company said at the time that the breach potentially affected all the chain's 2,266 home improvement stores in the United States and Canada, but not purchases made online.

What was stolen

Over the course of two days, the Journal Sentinel visited the underground website and downloaded all Wisconsin information available for free on the 13 batches of credit and debit cards that investigators have tracked to Home Depot stores.

The investigation found 282,302 card numbers used in Wisconsin listed for sale for a combined asking price of $8.16 million.

They include Visa, MasterCard, American Express, Discover and Maestro cards issued by dozens of banks. The number of cards compromised at each store ranges from 614 in Wisconsin Rapids to more than 21,000 in west Madison, according to an analysis.

Hackers have been releasing and selling the cards in batches of several hundred thousand at a time. It's difficult to tell how many cards were put up for sale in each batch because the site only displays up to 1,650 cards at a time.

Some may have been posted and sold before the Journal Sentinel began its review; others may not have been put up for sale yet.

The Journal Sentinel investigation shows the average black market price per card stolen in Wisconsin was $28.90.

Prices start at $2.26 for a Visa debit card with an expiration date of September 2014. The most valuable cards are MasterCard platinum debit cards and business credit cards. The most expensive card compromised in Wisconsin, a MasterCard valid through December 2015, was advertised at $127.50.

Prices of stolen cards typically peak right after a data breach and drop as cards are canceled.

Already, the hackers have sold an estimated $50 million worth of card numbers, according to to CBS. BillGuard, a credit protection firm, estimates the hack could lead to $3 billion in fake charges.

Among the information sold on the black market is the ZIP code in which the card was used. By using the card in the general geographic area where the cardholder normally shops, purchases are less likely to trigger fraud alerts and closure of the card.

Criminals use the card information for sale on the black market to create counterfeit cards that function like the original card, according to Krebs and other security experts. Cards are most valuable when they can be used as debit cards to withdraw cash from an ATM, but to do this, criminals need the PIN number.

Home Depot said there's no evidence that hackers obtained the PIN numbers on debit cards.

However, many banks allow people to reset the PIN code on a debit card by calling an automated system, as long as the caller can pass a security check. This requires the caller to provide at least three out of five pieces of information, for instance the expiration date on the card and the card holder's date of birth and Social Security number.

Criminals can also buy that information online.

Once criminals have the PIN code on a debit card reset through the automated system, they can withdraw money from an ATM. Hackers have already withdrawn $25,000 on debit cards from the Home Depot breach at an ATM in Canada and $300,000 on multiple cards in Italy.

Few reissuing cards

Only a few financial institutions, including UW Credit Union, have started a blanket reissuing of cards to their consumers in response to the latest breach.

Rose Oswald Poels, president and CEO of the Wisconsin Bankers Association, said each bank makes its own decision on whether to reissue cards to all its customers based on how many are affected and whether customers are requesting new cards.

She said reissuing cards to everyone can be problematic because consumers may miss auto-paid bills when a card is canceled — which may affect people's credit scores — and because there's a backlog of cards to be issued.

For now, it's up to Home Depot customers to request new cards from their financial institution. However, experts worry that many consumers have "breach fatigue" and are waiting for a notification from their banks or from Home Depot on what locations were breached instead of taking action.

Drake, the company spokeswoman, said earlier this week she doesn't have a timeline for when the company will announce which locations were affected.

"The investigation is around the clock and involves the law enforcement partners and our own IT security folks," she said. "The desire is to make that happen as quickly as possible."

Monitoring accounts

Home Depot has promised customers won't be liable for any unauthorized charges as a result of the breach. Home Depot or the financial institution that issued the card will pay. Home Depot has asked customers to pay close attention to charges on their accounts.

Drake wouldn't comment specifically on the Journal Sentinel's findings, citing the continuing investigation.

"Our reaction is, clearly, that we're sorry for the frustration and anxiety that causes our customers," she said. "We definitely want to thank them for their patience and support as this investigation continues."

Home Depot has offered free credit monitoring and identity theft protection for a year through AllClear ID for any customer who shopped at Home Depot and paid with a card since April 1.

Credit monitoring can alert consumers when someone applies for a new line of credit in their name, which affects the consumers' credit reports. However, credit monitoring services can't tell whether criminals are making fraudulent purchases on people's current cards.

Oswald Poels urged consumers to keep monitoring their bank accounts on a regular basis. She noted that the Home Depot breach showed hacked card numbers may not be offered for sale or used for fraudulent activity until months after they're stolen.

"It's possible that a criminal could spend two months to gather this data and sit on it and then use it," she said.

Home Depot's breach lasted from April to September and may involve nearly all 2,266 stores. It eclipses the three-week data breach at Target in November and December 2013, which affected nearly 1,800 stores.

In the Target breach, hackers stole about 40 million cards and managed to sell between 2 million and 4 million card numbers in several dozen batches over two months, Krebs said.

Only 2.2 million customers (5.5%) subsequently took advantage of the free credit monitoring, Target spokeswoman Molly Snyder said.

Erin Caughy of the Journal Sentinel staff contributed to this report.

Get the latest consumer stories, viral stories, scam alerts, tips and an occasional freebie. Visit the Public Investigator blog at jsonline.com/piblog.

Facebook: fb.me/GitteLaasbyPage

Twitter: @GitteLaasbyMJS

Free protection

Customers who used a payment card at a Home Depot store since April 1 can sign up for free identity theft protection and credit monitoring services through AllClear ID. Signup is available until Sept. 8, 2015.

To sign up and to learn more, visit homedepot.allclearid.com or call (800) HOME-DEPOT — (800) 466-3337.

Correction: An earlier version of this article incorrectly stated the brands of credit cards that have been compromised and were available for purchase as of Sept. 12. Visa, MasterCard, American Express, Discover and Maestro card numbers were stolen, not Diners Club International cards as previously mentioned.