It seems yet another store has had customer data stolen.
Home Depot announced Tuesday that it is investigating reports that customer credit and debit card information was taken by a cyber attack.
“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Paula Drake, spokeswoman at Home Depot, told Krebs on Security. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
Krebs on Security reported that several banks believe the breach began in April or May of this year, meaning the breach potentially could be one of the biggest retail hacks to date. Home Depot said it will pay for a year of identity protection to impacted customers.
The home improvement retailer is the latest high profile target to fall victim to a data breach. Last month, United Parcel Service (UPS) and Dairy Queen confirmed that their customer information was compromised. Last year, Target had data from 40 million payment cards and personal information on 70 million customers stolen. Neiman Marcus, P.F. Chang’s China Bistro, Walmart, Costco Wholesale, and Kroger Co. have also suffered recent cyberattacks.
Why are there so many breaches?
To accept credit cards, companies must comply with Payment Card Industry data standards. Without meeting these standards, a company cannot accept credit or debit cards. But it can still be easy to break into PCI-compliant systems, says Stephen Cobb, senior security researcher at ESET.
“It is possible to be PCI compliant and still be hacked," Mr. Cobb notes, adding that the series of attacks are because businesses don't go beyond minimum requirements. “There is a lot of discussion about updating the standard, and a lot of people in security are saying ‘having a standard in compliance isn't being secured.'"
Currently, it is up to each individual business to decide if they want to add other security measures to prevent cyberattacks. After Target was attacked, the company accelerated a chip-and-pin program on its Target credit cards to better protect credit card information. But some experts say businesses haven't gone far enough to protect themselves from breaches.
A spokesman for Home Depot said the retailer could not release further information on its own data protection procedures
“The problem with security is that it is like insurance. It is something you have to invest in up front, and the attack may or may not happen," said Phil Montgomery, executive vice president of Identiv, a security firm. "It’s hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.”
With each breach, businesses are losing business and consumer confidence. Thus far, Target has spent $146 million in breach-related expenses, not including insurance payments.
“Cyber attacks probably aren’t going to go away anytime soon because security is going to require a big investment,” Cobb says. “Payment technology needs to be seriously upgraded. People have been saying this for many years, but now we are seeing the consequences for it not happening.”
What should you do if you shopped at Home Depot during the time of the possible breach?
The only thing customers can do right now is keep an eye on bank statements, according to the Federal Trade Commission. That includes comparing receipts to your bank statement, check any bills that you receive to make sure they were your purchases, and letting your credit card issuer know if there are any questionable charges. Customers can also keep an eye out for an email from their credit card company regarding possible fraud.
Happily, customers aren't responsible for fraudulent charges if credit or debit card information is stolen.