Home Depot confirms breach but stays mum as to size
On Monday, Home Depot confirmed that thieves compromised the payment systems in its stores in the US and Canada and stole credit and debit card data.
The theft likely began in April and used unspecified malware, but it may not have compromised the PINs used to secure debit cards, the company said in a statement. The home supply retailer has not yet determined how many cards were breached, but the thieves had as many as six months in the company’s systems. Comparatively, the malware-enabled theft of card data from retail giant Target resulted in the compromise of 40 million credit and debit card accounts and occurred in just over three weeks, albeit during the peak shopping season.
Home Depot’s Chairman and CEO Frank Blake apologized to customers on Monday.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred,” Blake said in a statement. “It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”
The investigation into the theft of payment data began on Tuesday morning, following warnings from banking partners that fraudulent cards linked to Home Depot started tripping fraud alarms worldwide. Several banking sources leaked information on the investigation to independent blogger and journalist Brian Krebs, who broke the story later that day.
For almost a week, steady reports on the breach made headlines, but without Home Depot’s confirmation.
Cybercriminals have profited from the lack of security around retail point-of-sale (POS) systems. In August, the US Computer Emergency Readiness Team (US-CERT) warned that an estimated 1,000 retail companies had been breached by malware known as “Backoff.” While some security researchers predicted that Backoff was the likely culprit in the Home Depot breach, unnamed investigators reportedly named a different malicious program, BlackPOS, as the attack tool. BlackPOS was used in the Target breach.
Home Depot plans to provide any customer affected by the breach of its systems with identity protection service. The company also reiterated its pledge to roll out chip-and-PIN security to all US stores by the end of this year. Visa and Mastercard will require stores to offer chip-and-PIN transactions in stores or be held liable for breaches of card data in the future.