Home Depot confirms breach
9 September 2014 | 0
After nearly a week of investigation, Home Depot has confirmed that intruders had indeed broken into its payment networks and accessed credit and debit card data belonging to an unspecified number of customers who shopped at its US and Canadian stores.
The statement announcing the breach did not detail the number of stores affected or the total number of cards compromised. Instead, it merely noted that the company is looking into the possibility that the breach occurred in April.
Home Depot also said there is no evidence that debit Personal Identification Numbers (PIN) were compromised. Nor is there evidence the breach affected any Home Depot stores in Mexico or purchases made online at the company’s web site.
Since being told about the breach last Tuesday (02/09/2014), Home Depot has been working around the clock to mitigate the situation, the company added.
“We apologise for the frustration and anxiety this causes our customers,” Frank Blake, chairman and CEO of Home Depot, said in the statement. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasise that no customers will be responsible for fraudulent charges.”
The statement is interesting because it makes no mention at all of the potential size and scope of the breach.
According to security blogger Brian Krebs, who first reported the intrusion, evidence from the cyber-underground suggests that nearly every one of Home Depot’s 2,200 stores in the US were impacted. The fact that the breach also remained undetected for more than three months suggests that it may end up being the biggest compromise of payment card data ever, Krebs noted.
In fact, the Home Depot breach could turn out to be several times larger than the one at Target last December in which more than 40 million payment cards were compromised.
Several companies have reported data breaches in recent days, including grocery chain Supervalu, UPS Stores Inc. and Dairy Queen.
The breaches have highlighted escalating concerns over a point of sale (PoS) system malware tool dubbed “Backoff” that has affected over 1,000 US, businesses, according to federal law enforcement authorities. Security firm Kaspersky Labs, which conducted its own research of the malware, believes the number could be much higher.
If other large breaches are any indication, the data compromise at Home Depot could cost the retailer hundreds of millions of dollars in remediation costs, fines and legal fees.
Since news of the breach went public, Home Depot’s shares have fallen by about 3% from $93.11 last Tuesday to $90.82 on Monday. After the company confirmed the breach late, its shares dropped by nearly another per cent in after-hours trading.
Jaikumar Vijayan, IDG News Service