Home Depot confirmed on Monday it has discovered software buried within its Canadian and U.S. stores designed to steal credit- and debit-card information from customers.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred,” Frank Blake, chairman and chief executive of Home Depot, said in a statement on Monday afternoon.
Blake added, “no customers will be responsible for fraudulent charges to their accounts.”
Home Depot operates about 180 stores across Canada and 2,200 in the United States.
The big box renovation store first confirmed last Tuesday it was investigating a possible hack of its in-store payment systems in Canada.
Home Depot’s investigation revealed the attack from online criminals extended as far back as April, “and the company has taken aggressive steps to address the malware and protect customer data.”
Similar to what’s been seen in a recent spate of cyberattacks against retailers — notably a widespread breach at Target last year — criminals sought to steal and then discreetly sell credit and debit card information of Home Depot shoppers through underground online sites.
Home Depot said Monday it will provide free credit monitoring services to any customer who paid electronically in stores in 2014.
There is no evidence that debit PIN numbers on bank account cards were compromised, Home Depot said.
“The company continues to determine the full scope, scale and impact of the breach,” the statement said.
Chip and pin technology
Experts say the breach may have a less severe impact on Canadian shoppers. That’s because U.S. retailers still widely accept older cards that aren’t protected with “chip-and-pin” technology, a protection that now covers about nine in 10 credit- and debit-cards in use in Canada.
While criminals could steal your credit card number through malicious software illegally embedded in a retailer’s in-store payment system, future transactions using the number would fail if they weren’t accompanied by the input of your chip-protected pin at the point of sale, experts say.
Still, despite the more secure technology, Home Depot’s Canadian customers aren’t immune from attempts to steal credit card information.
“Even though we don’t have the same exposure, there’s still value in our stores being attacked,” Mark Nunnikhoven, vice-president of emerging technologies at Trend Micro, an online security firm, said.
WATCH: Home Depot hack job
Big retailers with operations across both the U.S. and Canada are particularly susceptible because of the volume of transactions they handle as well as the high probability they share networking resources.
“The challenge we have in Canada is that a lot of retailers either directly share networks with their American counterparts, or at least have the same systems set up here,” Nunnikhoven said.
“So if I have a successful attack on Home Depot, if Home Depot Canada is set up the same way, it’s going to cost me almost nothing to try that same attack up here.”
Because of the length of time, some experts suggest the current breach could rival – or even be larger – than the recent attack on Target Corp., which affected tens of millions of shoppers at U.S. stores, as well as thousands in Canada.
“Criminals have realized that large retailers are a quick hit, are relatively easy to breach and there’s a huge financial upside for them. So it’s a really enticing target for them to go after,” Nunnikhoven said.