Estimated read time: 4-5 minutes
This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
NEW YORK (AP) — Home Depot said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers.
The size of the theft at Home Depot trails only that of TJX Companies' heist of 90 million records disclosed in 2007. Target's breach compromised 40 million credit and debit cards.
Home Depot, the nation's largest home improvement retailer, said that the malware used in the data breach that took place between April and September has been eliminated.
It said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online at Homedepot.com. It said it has also completed a "major" payment security project that provides enhanced encryption of customers' payment data in the company's U.S. stores.
But unlike Target's breach, which sent the retailer's sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based Home Depot. Still, the breach's ultimate cost to the company remains unknown. Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars, similar to Target's breach.
SALT LAKE CITY — The Home Depot's assurance Thursday that customers would not be liable for fraudulent charges connected to a massive data breach came as a relief to one West Jordan man, who said he learned of multiple fraudulent accounts and charges as a result of his information being compromised.
Ashton Smith said he didn't know he had a problem until his card was declined when he tried to make a purchase on The Home Depot app. He subsequently realized the new card The Home Depot mailed him recently had a different number than the one he was accustomed to using, and then noticed a prompt on the app that offered more information about the data breach.
"We were just like, 'Yep, let's go check the credit to be on the safe side,' " Smith said.
Smith and his wife, Trisha, requested their credit reports, and he soon learned of a $400 fraudulent charge at The Home Depot, a second account at the store that he didn't open, 5 new phone lines and $1,000 in charges at Verizon, plus credit inquiries at Dick's Sporting Goods and another retailer.
"Very, very frustrating," he said, Experian report still sitting on the kitchen counter as a reminder of the troubles. "For me to have to do all the work and not to hear anything other than a notice on an app was very frustrating to me."
Smith said the purchases, new accounts and inquiries all appeared to have been made or created in Salt Lake County — all on Aug. 4 — pointing to the possibility that the data mined from The Home Depot breach had been sold off and purchased by someone in Utah.
He also said he believed more information was stolen beyond simply card numbers.
"Apparently they have my social security number if they were able to apply and get something to go through," Smith said.
Home Depot in a statement posted to its website Thursday said customers would not be liable for fraudulent charges made to their accounts, and they could receive free identity protection services and credit monitoring.
"We apologize for the frustration and inconvenience this breach may have caused," the statement read.
"We're still going to have to monitor it every day to make sure that they're doing what they should do and our information is still not getting stolen," Smith said.
Jeffrey Coburn, supervisory special agent at the cyber division of the FBI's Salt Lake City field office, offered three tips to people potentially impacted by data breaches:
- Monitor your account activity. Change passwords for that account as soon as possible.
- If you used the same password for any other accounts or social media, change the others immediately. (It is good practice to never use the same passwords for more than one account because if one is breached, they all have the potential of being breached.)
- An added step of security is to contact the 3 credit bureaus and place a hold on any new account creation.
"This is a massive breach, and a lot of people are affected," said John Kindervag, vice president and principal analyst at Forrester Research. But he added, "Home Depot is very lucky that Target happened because there is this numbness factor."
Customers appear to be growing used to breaches, following a string of them this past year, including at Michaels, SuperValu and Neiman Marcus. Home Depot might have also benefited from the disclosure of the breach coming in September, months after the spring season, which is the busiest time of year for home improvement.
And unlike Target, which has a myriad of competitors, analysts note that home-improvement shoppers don't have many options. Moreover, Home Depot's customer base is different from Target's. Nearly 40 percent of Home Depot's sales come from professional and contractor services. Those buyers tend to be fiercely loyal and shop a couple of times a week for supplies.
Home Depot on Thursday confirmed its sales-growth estimates for the fiscal year and said it expects to earn $4.54 per share in fiscal 2014, up 2 cents from its prior guidance. The company's fiscal 2014 outlook includes estimates for the cost to investigate the data breach, providing credit monitoring services to its customers, increasing call center staffing and paying legal and professional services.
However, the profit guidance doesn't include potential yet-to-be determined losses related to the breach. The company said it has not yet estimated costs beyond those included in the guidance issued Thursday. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental investigations and enforcement proceedings.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Home Depot's chairman and CEO, Frank Blake, said in a statement. "From the time this investigation began, our guiding principal has been to put our customers first, and we will continue to do so."
The breach at Home Depot was first reported on Sept. 2 by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity.
Target's high-profile breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards. Supporters say chip cards are safer, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer's register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards are also nearly impossible to copy, experts say.
Target has been overhauling its security department and systems and is accelerating its $100 million plan to roll out chip-based credit card technology in all of its nearly 1,800 stores. Home Depot said it will be activating chip-enabled checkout terminals at all of its U.S. stores by the end of the year.
Follow Anne D'Innocenzio at http://www.Twitter.com/adinnocenzio
Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.