I-Team: Possible Home Depot Data Breach
CHICAGO -- Home Depot may be the latest retailer to suffer a major credit card data breach.
The Atlanta-based home improvement retailer told The Associated Press Tuesday that it is working with both banks and law enforcement to investigate "unusual activity" that would point to a hack.
"Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers," said Paula Drake, a spokeswoman at Home Depot, declining to elaborate. She said the retailer would notify customers immediately if it confirms a breach.
Security and fraud experts area warning people to be on alert.
"This one potentially could be bigger than Target, because it appears that this hack has been going on since April or May," said Prof. William Kresse, Governors State University.
If you are a Home Depot shopper who used a card recently you should monitor account statements, and strengthen your account passwords to include characters and numbers.
Credit and most debit cards are protected but sometimes transaction reversals can take time and further investigation.
"One of the other things that's going to help a lot is the conversion from credit cards that just have a magnetic stripe on the back, to what's called chip and pin technology, where there's a chip that's contained inside the credit card with a unique code," said Prof. Kresse.
Professor William Kresse says this potential data breach like others could be linked to the Russian cyber gangs attack last month.
"We believe they're coming out of Russia or the Ukraine region, it seems that this was in retaliation, or at least response, to American sanctions against Russia," said Prof. Kresse.
In some cases, hackers can actually put your card information on their card stripes. Store clerks are supposed to stop that by verifying the last four digits of the card, but experts say that rarely happens.
Hackers have broken security walls for many retailers in recent months, including Target, grocery store chain Supervalu, P.F. Chang's and the thrift store operations of Goodwill. The rash of breaches has rattled shoppers' confidence in the security of their personal data and pushed retailers, banks and card companies to increase security by speeding the adoption of microchips into U.S. credit and debit cards.
The possible data breach at Home Depot was first reported by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity. Krebs said multiple banks reported "evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards" that went on sale on the black market earlier Tuesday.
Krebs reported that it's not clear how many stores were affected but preliminary analysis indicates the breach may have affected all 2,200 Home Depot stores in the U.S. Several banks that were contacted said they believe the breach may have started in late April or early May.
"If that is accurate - and if even a majority of Home Depot stores were compromised - this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period," said the Krebs post.
Krebs said that the party responsible for the breach may be the same group of Russian and Ukrainian hackers suspected in the Target breach late last year. Krebs also broke the news of Target's breach.
Target Corp., based in Minneapolis, is still trying to get beyond its massive breach that occurred late last year and hurt sales, profits and its reputation with customers. It has been overhauling its security department and systems and is accelerating its $100 million plan to roll out chip-based credit card technology in all of its nearly 1,800 stores.
New payment terminals will appear in stores by this month, six months ahead of schedule. In April, the retailer announced it teamed up with MasterCard to issue branded Target payment cards equipped with chip technology by early in 2015.
Wal-Mart Stores Inc., the world's largest retailer, is also sending customers who have a store credit card a chip-enabled MasterCard, while its Sam's Club division introduced a chip-enabled MasterCard in June. The company has chip-enabled check-out terminals in 4,600 stores, and terminals in the remaining U.S stores will be activated before the end of the year.
In a separate statement Tuesday, Goodwill said its customers' credit and debit card numbers had been stolen at more than 300 stores in 19 states and Washington, D.C. rom February 2013 through Aug. 14. Goodwill blamed the security lapse on an unidentified contractor's payment processing system. Reports about fraud linked to shoppers' cards have been "very limited," Goodwill said.
The Associated Press contributed to this report.
The company had said in July that it was investigating the breach.
