Home Depot asks Canadians to report ‘unusual activity’ on credit cards
Home Depot says it’s taken several steps including hiring an outside cyber-security firm to determine whether criminals have hacked its in-store payment systems and stolen the financial information of customers — including a potential breach at Canadian locations.
A spokesperson said Thursday the big box renovation store can’t yet confirm whether a breach has occurred at Canadian or U.S. stores.
“Our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning,” Home Depot spokesperson Paula Drake told Global News.
“It’s important to note that in the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges,” Drake added.
A Canadian spokesperson confirmed Tuesday the renovation chain’s 180 Canadian stores were part of a company-wide investigation.
Drake also advised Canadian consumers “to closely monitor their accounts and contact their card issuers if they notice any unusual activity.”
Free identity protection services, including credit monitoring, would be extended to affected Canadian shoppers, should Home Depot Canada confirm a breach, she said.
Experts suggest the U.S. chain of 2,200 or so stores would likely be the principal target of cyber criminals looking to poach customer data, chiefly credit card numbers.
That’s because U.S. retailers still widely accept older cards that aren’t protected with “chip-and-pin” technology, a protection that now covers about nine in 10 credit cards in use in Canada, experts say.
While criminals could steal your credit card number through malicious software illegally embedded in a retailer’s in-store payment system, future transactions using the number would fail if they weren’t accompanied by the input of your chip-protected pin at the point of sale, experts say.
Canadian stores not immune
Still, despite the more secure technology, Home Depot’s Canadian customers aren’t immune from attempts to steal credit card information.
“Even though we don’t have the same exposure, there’s still value in our stores being attacked,” Mark Nunnikhoven, vice-president of emerging technologies at Trend Micro, an online security firm, said.
“One of the problems we have with cybercrime is that once you’ve done an attack once, the cost to do it again is negligible if anything,” he said. “While I might not get the same gain [in Canada], I also didn’t make the same investment – it’s sort of like you’ve already reached into the cookie jar, why not grab more?”
Big retailers with operations across both the U.S. and Canada are particularly susceptible because of the volume of transactions they handle as well as the high probability they share networking resources.
“The challenge we have in Canada is that a lot of retailers either directly share networks with their American counterparts, or at least have the same systems set up here,” Nunnikhoven said.
“So if I have a successful attack on Home Depot, if Home Depot Canada is set up the same way, it’s going to cost me almost nothing to try that same attack up here.”
Home Depot said earlier this week it was working with U.S. law enforcement officials as part of the investigation. A request for comment about whether Canadian authorities had been contacted wasn’t immediately responded to.
The RCMP declined to comment on whether Home Depot Canada has asked for its help.
If a breach is confirmed, experts say it could rival – or even be larger – than the recent attack on Target Corp., which affected tens of millions of shoppers at U.S. stores, including thousands in Canada.
“Criminals have realized that large retailers are a quick hit, are relatively easy to breach and there’s a huge financial upside for them. So it’s a really enticing target for them to go after,” Nunnikhoven said.
WATCH: Home Depot is investigating a major cyber-security breach. It appears hackers have been busing infiltrating the store’s huge computer networks, gathering customers’ credit card information and possibly selling the data online. Mike Drolet has the details.