The US retailer has confirmed hackers had access to its point-of-sale systems for as long as five months
US retailer Home Depot has confirmed a security breach in the payment systems of its stores in North America that resulted in the theft of credit and debit card data,
It has been suggested this could be largest such incident to date and the company has said customers could have been affected from April until early last week, but added the PINs used to secure the cards did not seem to have been compromised.
The retailer said it has not yet determined the number of customers affected, but the figure could exceed 60 million, according to an unnamed source cited by The New York Times.
The breach of retail chain Target last year, currently the largest to date, affected about 40 million people, and occurred over a period of about three weeks, while the Home Depot compromise may have lasted for as long as five months.
The chain’s Mexico stores were not affected, nor was its online shop. Home Depot operates 1,977 stores in the US and 180 in Canada, about 400 more than Target had at the time of its breach.
The incident was first reported by blogger Brian Krebs early last week, and it seems to have been this report that alerted the company itself to the situation. The retailer had remained silent until now. Home Depot apologised for the breach, saying it had delayed notifying customers until its own investigation had confirmed the incident.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred,” said chairman and chief executive Frank Blake in a statement. “It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”
Customers in the US state of Georgia filed a class-action lawsuit against the company last week for failing to protect customers and not alerting them sooner. Home Depot said it will offer identity protection and credit-monitoring services to those who used a card at any of its affected stores, adding that it has been working with security companies Symantec and FishNet Security to investigate since last week.
In August, the US Computer Emergency Readiness Team (US-CERT) warned that the point-of-sale systems of about 1,000 retailers had been compromised by the “Backoff” malware, linked to a criminal gang in Eastern Europe. According to some reports, however, the Home Depot breach may have been effected using BlackPOS, the same attack tool used in the Target incident.
Are you a security pro? Try our quiz!