Home Depot data breach was bigger than Target's. Were you affected?

Home Depot said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers. Home Depot said the breach took place between April and September. 

Toby Talbot/AP/File
Shoppers walk through the aisles at the Home Depot store in Williston, Vt. The Home Depot on Thursday, Sept. 18, 2014 said it has eliminated malware from its U.S. and Canadian networks that affected 56 million unique payment cards between April and September.

Home Depot said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers.

The size of the theft at Home Depot trails only that of TJX Companies' heist of 90 million records disclosed in 2007. Target's breach compromised 40 million credit and debit cards.

Home Depot, the nation's largest home improvement retailer, said that the malware used in the data breach that took place between April and September has been eliminated.

It said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online at Homedepot.com. It said it has also completed a "major" payment security project that provides enhanced encryption of customers' payment data in the company's U.S. stores.

But unlike Target's breach, which sent the retailer's sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based Home Depot. Still, the breach's ultimate cost to the company remains unknown. Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars, similar to Target's breach.

"This is a massive breach, and a lot of people are affected," said John Kindervag, vice president and principal analyst at Forrester Research. But he added, "Home Depot is very lucky that Target happened because there is this numbness factor."

Customers appear to be growing used to breaches, following a string of them this past year, including at Michaels, SuperValu and Neiman Marcus. Home Depot might have also benefited from the disclosure of the breach coming in September, months after the spring season, which is the busiest time of year for home improvement. 

And unlike Target, which has a myriad of competitors, analysts note that home-improvement shoppers don't have many options. Moreover,Home Depot's customer base is different from Target's. Nearly 40 percent of Home Depot's sales come from professional and contractor services. Those buyers tend to be fiercely loyal and shop a couple of times a week for supplies.

Home Depot on Thursday confirmed its sales-growth estimates for the fiscal year and said it expects to earn $4.54 per share in fiscal 2014, up 2 cents from its prior guidance. The company's fiscal 2014 outlook includes estimates for the cost to investigate the data breach, providing credit monitoring services to its customers, increasing call center staffing and paying legal and professional services.

However, the profit guidance doesn't include potential yet-to-be determined losses related to the breach. The company said it has not yet estimated costs beyond those included in the guidance issued Thursday. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental investigations and enforcement proceedings.

"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Home Depot's chairman and CEO, Frank Blake, said in a statement. "From the time this investigation began, our guiding principal has been to put our customers first, and we will continue to do so."

Earlier this month, the Monitor reported on what steps customers affected by data breaches could take to minimize the damage: 

“The problem with security is that it is like insurance. It is something you have to invest in up front, and the attack may or may not happen," said Phil Montgomery, executive vice president of Identiv, a security firm. "It’s hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.”

With each breach, businesses are losing business and consumer confidence. Thus far, Target has spent $146 million in breach-related expenses, not including insurance payments.

“Cyber attacks probably aren’t going to go away anytime soon because security is going to require a big investment,” Cobb says. “Payment technology needs to be seriously upgraded. People have been saying this for many years, but now we are seeing the consequences for it not happening.”

What should you do if you shopped at Home Depot during the time of the possible breach?

The only thing customers can do right now is keep an eye on bank statements, according to the Federal Trade Commission. That includes comparing receipts to your bank statement, check any bills that you receive to make sure they were your purchases, and letting your credit card issuer know if there are any questionable charges. Customers can also keep an eye out for an email from their credit card company regarding possible fraud.

The breach at Home Depot was first reported on Sept. 2 by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity.

Target's high-profile breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards. Supporters say chip cards are safer, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer's register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards are also nearly impossible to copy, experts say.

Target has been overhauling its security department and systems and is accelerating its $100 million plan to roll out chip-based credit card technology in all of its nearly 1,800 stores. Home Depot said it will be activating chip-enabled checkout terminals at all of its U.S. stores by the end of the year.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.