The Home Depot confirmed that its payment systems were breached by data thieves, potentially exposing millions of credit or debit card numbers used by customers shopping in U.S. and Canadian stores.
Officials said they still do not know how many credit and debit card numbers were taken, but the company is investigating transactions as far back as April.
In a statement late Monday, officials of the Atlanta-based hardware giant promised that no one will have to pay for “fraudulent” charges, and set up a reporting page on its website for concerned customers to register and get more information. The company declared that, at least for debit cards, “there is no evidence” that PIN numbers were taken.
Home Depot Chairman and CEO Frank Blake addressed customers in a press release, apologizing for their “frustration and anxiety” and aiming to provide some reassurance that the theft will not cost them.
“It is important to emphasize that no customers will be responsible for fraudulent charges to their accounts,” Blake said.
The “malware” that was used to steal from Home Depot was the same as that used to pilfer consumer data from Target, an expert reported Monday. That Target attack exposed an estimated 40 million customer accounts, has reportedly cost the company $148 million so far and generated dozens of lawsuits.
“[Home Depot] continues to determine the full scope, scale and impact of the breach,” said the Home Depot statement.
Home Depot has 1,977 stores in the United States and 180 in Canada and has annual revenues of more than $80 billion, about 10 percent more than Target. At least one lawsuit has been filed against Home Depot for damages caused by the breach.
IT security firms Symantec and FishNet Security are working with Home Depot on the investigation, which began Sept. 2. Their cyber-forensics reach back as far as April, but the security team still apparently don’t know how long it was that the thieves were operating within Home Depot systems.
The company also promised to finish installing a “chip and PIN” security system for card transactions in all U.S. stores by the end of this year. That technology is considered more secure, partly because it makes it harder to copy account numbers and security codes.
Home Depot is offering free identity protection services, including credit monitoring, to any customer who has used a payment card at one of their stores since April.
Brian Krebs, the security expert who first reported the breach last week, has written that he believes that the thieves had at least three months of access to Home Depot systems.
Monday, Krebs wrote that at least some of Home Depot’s store registers were infected with a variation of something called BlackPOS or Kaptoxa, a software designed to steal data from credit and debit cards when they are swiped through systems running Microsoft Windows.
The new information came from sources close to the investigation of the data breach, Krebs said.
The first evidence of the theft came Sept. 2 when severeal bursts of stolen credit cards showed up for sale on a web site known as Rescator, which deals in stolen credit information. The site allows purchasers to filter the cards by zip code, which can slow a company’s realization that they have been stolen.
The site was used to sell stolen numbers from breaches at Target, P.F. Chang’s and Harbor Freight, Krebs wrote.
Business Week has referred to that web site as “the Amazon.com of the black market.”
About the Author
