Home Depot Inc. confirmed Monday that its payment
systems were breached at nearly 2,200 U.S. and Canadian stores in a cyberattack
that may have stretched back to April. The company said it is working
aggressively to root out the malware that infected its data systems and protect
its customer data, but stopped short of addressing when or whether the breach
had ended.
The acknowledgment is the result of an investigation begun
by the home-improvement company a week ago after it received reports from banks
and law enforcement that its payment data systems may have been hacked. Since
then, it has been working with the Secret Service and banks, as well as with
computer security firms Symantec Corp. and Fishnet Security, to
determine whether it had been hacked and uncover the software responsible.
Law enforcement and payment officials were concerned about
the potential scale of the attack, since it may have persisted for more than
four months, much longer than the holiday-season attack on Target Corp. that
compromised data from 40 million credit- and debit-card accounts. One person
familiar with parts of the investigation said tens of millions of cards may
have been affected.
The attack may have begun during the company's busy spring
selling season and follows warnings from law enforcement that retailers could
face assaults on their point-of-sale systems. Parts of the software used in the
attack appeared to be based on the malware used against Target, a person
familiar with parts of the investigation said. That doesn't necessarily mean
the attack was the work of the same hackers.
The Target card-stealing code, known as Black POS, has
been widely sold on underground hacking forums since being crafted by a Russian
teenager, cybercrime experts have said.
Home Depot said the investigation is continuing and that it
is still working to determine how many customers were affected and what
information was taken. The attack catches the chain in the middle of a growth
spurt stemming from the improvement in the housing market. In the six months
ended Aug. 3, Home Depot recorded more than 750 million customer transactions,
although that might not correlate to the number of people affected. In the same
period, it booked $43.5 billion in sales, up 4.4% from a year earlier.
Home Depot has assured customers they won't be responsible
for any fraudulent charges on their credit or debit cards and has promised to
offer free identity-protection services, including credit monitoring, to any
affected customers.
It said there was no evidence the breach has affected its
more than 100 stores in Mexico or customers who shopped on its website. It also
said it didn't have any indications that PIN numbers from debit cards were
compromised.
Card-issuing banks so far haven't alerted their customers to
potential fraud or reissued cards because of the Home Depot incident. The banks
are scouring their customer databases to determine a common thread among any
fraudulent transactions that have occurred.
Meanwhile, attorneys general from California, Connecticut,
Illinois, Massachusetts and New York have joined together to investigate the circumstances
and cause of breach, as well as how Home Depot handles the impact on shoppers,
the states said.
Click here to access the full
article on The Wall Street Journal.