The home improvement retailer confirms its customers’ payment card data was breached in an incident that is believed to have begun in April, likely compromising millions of card accounts.
One of North America’s largest retailers has confirmed that it was successfully compromised in a months-long campaign by attackers, resulting in what is believed to be the compromise of millions of customer payment cards.
In a long-awaited statement issued late Monday, Home Depot acknowledged that its payment card-processing system was breached, affecting payment card data belonging to customers of stores in the U.S. and Canada.
The Atlanta-based home improvement retailer said its investigation is focusing on April 2014 forward, indicating that the breach event may have been months long, spanning from April through August or early September.
“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” Home Depot said in the statement. It did not reveal the number of payment card accounts that may have been compromised.
It first learned of the breach via reports from banking partners and law enforcement on the morning of Sept. 2, according to the statement, and began its investigation immediately.
The company said that following the discovery of the breach, it has taken “aggressive steps to address the malware and protect customer data,” which included hiring security vendors Symantec Corp. and FishNet Security Inc. to investigate the breach.
Investigative security journalist Brian Krebs was first to report the Home Depot breach a week ago after multiple banks informed Krebs that they had identified stolen card data purportedly originating from Home Depot retail locations for sale on a popular black market website.
Krebs reported Sunday that a source close to the Home Depot investigation revealed that the breach was at least partially caused by a new variant of the Kaptoxa or BlackPOS point-of-sale malware used in last December’s massive Target Corp. data breach, causing speculation that the same attacker or group of attackers may be behind both breaches.
While Home Depot said there is no evidence that customers’ debit and PIN numbers were compromised, Krebs reported late Monday that banks have seen a spike in debit card fraud. He wrote digital criminals are using the data stolen from Home Depot to contact banks in an effort to reset customers’ debit card PIN numbers and in turn withdrawn cash from ATMs using fabricated debit cards.
Early indications suggest the Home Depot breach may dwarf the Target data breach, particularly if a four-plus-month breach event affected nearly all of the retailer’s more than 2,200 stores across the U.S. and Canada.
By comparison, the Target breach that resulted in the compromise of some 40 million payment cards reportedly only occurred during a three-week period last year and affected just under 1,800 stores. That breach played a role in a string of bad financials results for the company, including $146 million in breach-related expenses outside of insurance coverage, and culminated in the ousting of Target CEO Gregg Steinhafel and other long-time executives.