A week after it was first reported Home Depot may be the victim of a serious data breach, the home improvement chain confirmed on Monday that its payment systems had, in fact, been hacked. The full extent of the breach is still not known, but the way things are looking, the New York Times notes, the compromised data could end up being “the largest known breach of a retail company’s computer network.”
Home Depot says customers who used credit or debit cards at the retailer’s more than 2,000 stores in the U.S. and Canada could be affected, and the company is investigating transactions as far back as April. That casts a pretty wide net of potential damage, although Home Depot said it has not found evidence that PIN numbers of customers’ debit cards were swiped, nor that online customers are affected, the Associated Press reports.
The Home Depot breach is expected to eclipse the attack on retailer Target’s computer system last December, the largest known retail hack to date, which affected 40 million customers. A person briefed on the investigation tells the Times the number of credit cards stolen this time around at Home Depot could surpass 60 million. “Target’s breach went on for three weeks before the company learned about it, while the attack at Home Depot went unnoticed for as many as five months,” the Times notes.
Here’s more from the Times:
Last week, before Home Depot had confirmed the hack, customers in Georgia had already filed a class-action lawsuit against the retailer for failing to protect customers from fraud and failing to alert them to the breach in a timely manner… The Department of Homeland Security and the Secret Service recently estimated that more than 1,000 businesses in the United States had been infected with the malware, which is programmed to siphon payment card details from in-store cash registers. They believed that many of these businesses did not even know they were leaking customers’ credit card information.
Among the companies that have been hacked are UPS, Goodwill, P.F. Chang’s, Sally’s Beauty, Michael’s, Neiman Marcus, and now Home Depot. Security experts believe the same group of criminals in Eastern Europe is behind the attacks, according to several people briefed on the results of forensics investigations who were not allowed to speak publicly because of nondisclosure agreements. In each case, the entry point has differed, according to one law enforcement official. At Target, it was thought to be a Pennsylvania company that provided heating, air-conditioning and refrigeration services to the retailer. The entry points for the other businesses are still unknown.