Home Depot confirms massive data breach: Who's at risk?

Home Depot said the data theft could impact its customers in stores across the United States and Canada, but there was no evidence that online customers were affected or debit personal identification numbers (PINs) were compromised.

|
Jonathan Ernst/Reuters/File
A customer wheels a cart through a Home Depot store in Washington, February 20, 2012. Home Depot Inc confirmed on Monday that its payment security systems have been breached, which could impact customers using payment cards at its stores in the United States and Canada.

Home Depot Inc confirmed on Monday its payment security systems have been breached, a data theft analysts warn could rival Target Corp's massive breach last year.

Home Depot said the data theft could impact its customers in stores across the United States and Canada, but there was no evidence that online customers were affected or debit personal identification numbers (PINs) were compromised.

"We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred," Chairman and Chief Executive Officer Frank Blake said in a statement. "It is important to emphasize that no customers will be responsible for fraudulent charges to their accounts."

The breach was first reported by security website KrebsOnSecurity almost a week ago. It said the problem could extend back to April and affect all of Home Depot's 2,200 stores in the United States.

No details were immediately available on how many customers were impacted. But Brian Krebs, who runs the security website, said last week the breach could be larger than Target's last year when hackers stole at least 40 million payment card numbers and 70 million other pieces of customer data.

Krebs reported on Monday that Home Depot's systems were hit by a variant of the same malware that compromised Target's systems last year.

Target has spent $146 million to resolve data breach-related issues since the fourth quarter of 2013. Most of these expenses were for settling actual and potential breach-related claims, mainly by payment card networks.

The largest known breach at a U.S. retailer was uncovered in 2007 at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains, which had more than 90 million credit cards stolen over about 18 months.

Home Depot said it started investigating the data breach last Tuesday, but the investigation will look at data from April. The Monitor reported on the initial investigation last week: 

The home improvement retailer is the latest high profile target to fall victim to a data breach. Last month, United Parcel Service (UPS) and Dairy Queen confirmed that their customer information was compromised. Last year, Target had data from 40 million payment cards and personal information on 70 million customers stolen. Neiman Marcus, P.F. Chang’s China Bistro, Walmart, Costco Wholesale, and Kroger Co. have also suffered recent cyberattacks.

Why are there so many breaches?

To accept credit cards, companies must comply with Payment Card Industry data standards. Without meeting these standards, a company cannot accept credit or debit cards. But it can still be easy to break into PCI-compliant systems, says Stephen Cobb, senior security researcher at ESET.

“It is possible to be PCI compliant and still be hacked," Mr. Cobb notes, adding that the series of attacks are because businesses don't go beyond minimum requirements. “There is a lot of discussion about updating the standard, and a lot of people in security are saying ‘having a standard in compliance isn't being secured.'"

Currently, it is up to each individual business to decide if they want to add other security measures to prevent cyberattacks. After Target was attacked, the company accelerated a chip-and-pin program on its Target credit cards to better protect credit card information. But some experts say businesses haven't gone far enough to protect themselves from breaches.

"It doesn't exactly say a lot of good things about their data security systems if something was able to go on for months and they didn't notice," said Kenneth Dort, partner at intellectual property practice group, Drinker Biddle & Reath LLP.

Home Depot promised free identity-protection services, including credit monitoring, to any potentially impacted customers.

Home Depot had said earlier it will roll out PIN- and chip-enabled cards at all its U.S. stores by the end of the year.

The retailer also said its internal information technology security team is working with banking partners, firms including Symantec Corp and Fishnet Security, as well as the U.SSecret Service to gather facts in the investigation, it said.

Shares of Home Depot ended 0.86 percent lower at $90.82 on the New York Stock Exchange on Monday.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Home Depot confirms massive data breach: Who's at risk?
Read this article in
https://www.csmonitor.com/Business/Latest-News-Wires/2014/0908/Home-Depot-confirms-massive-data-breach-Who-s-at-risk
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe