Atlanta – The Home Depot has confirmed that its payment data systems have been breached, potentially impacting all U.S. and Canadian customers who shopped its stores with credit or debit cards since April.
Word of the hacking surfaced last week when security blogger and former Washington Post reporter Brian Krebs posted word of a massive batch of new stolen card information that had gone on sale in the “cybercrime underground.”
Krebs said thieves may have used a variant of the malware that copied account data from Target cash registers last December, and that this latest security breach could exceed the approximately 40 million payment cards that were compromised at the discount chain. Some estimates put Home Depot’s hack as high as 60 million accounts.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Home Depot’s chairman and outgoing CEO Frank Blake.
The No. 1 home-improvement chain said it launched an investigation on Sept. 2 after receiving alerts from banking partners and law enforcement. It said it is working with IT security firms, banks and the Secret Service to determine “the full scope, scale and impact of the breach,” but doesn’t believe that debit PIN numbers were compromised.
The company is assuring customers that they will not be responsible for fraudulent charges to their accounts, and is offering free identity protection services, including credit monitoring, to any shopper who used a payment card at a Home Depot store from April on.
Krebs reported that the hackers may be the same group of Russian cyber thieves responsible for the Target breach, and that the stolen Home Depot data is being sold under the name “American Sanctions” — suggesting that the theft was in retaliation for the economic sanctions imposed on Russia following its aggressive actions in Ukraine.