Home Depot confirms customer data breach at U.S., Canada stores

Home Depot acknowledged on Monday a malware capable of stealing customer credit-card information has been found at Canadian locations.
Home Depot acknowledged on Monday a malware capable of stealing customer credit-card information has been found at Canadian locations. AP Photo/Mark Humphrey

Home Depot confirmed on Monday it has discovered software buried within its Canadian and U.S. stores designed to steal credit- and debit-card information from customers.

“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred,” Frank Blake, chairman and chief executive of Home Depot, said in a statement on Monday afternoon.

MORE: Home Depot asks Canadians to report ‘unusual activity’ on credit, debit cards

Blake added, “no customers will be responsible for fraudulent charges to their accounts.”

Home Depot operates about 180 stores across Canada and 2,200 in the United States.

The big box renovation store first confirmed last Tuesday it was investigating a possible hack of its in-store payment systems in Canada.

Story continues below advertisement

Home Depot’s investigation revealed the attack from online criminals extended as far back as April, “and the company has taken aggressive steps to address the malware and protect customer data.”

Similar to what’s been seen in a recent spate of cyberattacks against retailers — notably a widespread breach at Target last year — criminals sought to steal and then discreetly sell credit and debit card information of Home Depot shoppers through underground online sites.

Home Depot said Monday it will provide free credit monitoring services to any customer who paid electronically in stores in 2014.

There is no evidence that debit PIN numbers on bank account cards were compromised, Home Depot said.

Financial news and insights delivered to your email every Saturday.

“The company continues to determine the full scope, scale and impact of the breach,” the statement said.

Chip and pin technology

Experts say the breach may have a less severe impact on Canadian shoppers. That’s because U.S. retailers still widely accept older cards that aren’t protected with “chip-and-pin” technology, a protection that now covers about nine in 10 credit- and debit-cards in use in Canada.

While criminals could steal your credit card number through malicious software illegally embedded in a retailer’s in-store payment system, future transactions using the number would fail if they weren’t accompanied by the input of your chip-protected pin at the point of sale, experts say.

Story continues below advertisement

Still, despite the more secure technology, Home Depot’s Canadian customers aren’t immune from attempts to steal credit card information.

“Even though we don’t have the same exposure, there’s still value in our stores being attacked,” Mark Nunnikhoven, vice-president of emerging technologies at Trend Micro, an online security firm, said.

“One of the problems we have with cybercrime is that once you’ve done an attack once, the cost to do it again is negligible if anything,” he said. “While I might not get the same gain [in Canada], I also didn’t make the same investment – it’s sort of like you’ve already reached into the cookie jar, why not grab more?”

WATCH: Home Depot hack job

Big retailers with operations across both the U.S. and Canada are particularly susceptible because of the volume of transactions they handle as well as the high probability they share networking resources.

Story continues below advertisement

“The challenge we have in Canada is that a lot of retailers either directly share networks with their American counterparts, or at least have the same systems set up here,” Nunnikhoven said.

“So if I have a successful attack on Home Depot, if Home Depot Canada is set up the same way, it’s going to cost me almost nothing to try that same attack up here.”

Because of the length of time, some experts suggest the current breach could rival – or even be larger – than the recent attack on Target Corp., which affected tens of millions of shoppers at U.S. stores, as well as thousands in Canada.

MORE: Target Canada confirms some shoppers affected by data breach

“Criminals have realized that large retailers are a quick hit, are relatively easy to breach and there’s a huge financial upside for them. So it’s a really enticing target for them to go after,” Nunnikhoven said.

Sponsored content