Home Depot probes possible data theft

Security analyst says suspected attack could be bigger than Target’s

Home Depot, the largest DIY chain in the US, sought to reassure consumers as it investigated reports of a mass theft of customers’ payment data.

The chain said that if it confirmed a breach, it would offer free identity protection services and credit monitoring to customers who might be affected. It also reminded customers that their banks or the retailer itself would be responsible for any fraudulent charges on their cards.

“We’re looking into some unusual activity that might indicate a possible payment data breach,” the company said. “We know that this news may be concerning and we apologise for the worry this can create.”

If the possible attack is confirmed, it would be the latest in a growing number of data breaches by hackers on US retailers and banks.

Brian Krebs, a well-known cyber security analyst who first reported the possible issues at Home Depot, said in a blog post that the suspected theft of card data from the company could be larger than the data theft of 40m credit and debit cards from Target earlier this year, based on information he had received from banks.

After closing 2.5 per cent lower on Tuesday, Home Depot’s shares fell a further 2.4 per cent by close of trading on Wednesday.

The increasing complexity of software and automation of business functions is contributing to a rise in large-scale attacks, said Jeff Williams, chief technology officer of Contrast Security, which develops internet security products. In addition to Target, online retailer eBay said in May that hackers had accessed millions of customers’ user names and other personal data.

“If Home Depot pans out to be a Target-sized breach then three of the biggest breaches in all of history will have been in the last year, which is exceptional,” said Mr Williams. “As systems get more complex and more critical they’re easier to attack and more vulnerable to attack.”

The theft of Target’s customer data ended up costing the retailer nearly $20m of related expenses in the first quarter and pushed it to replace its chief executive and cut its full-year forecast.

Authorities including the Federal Bureau of Investigation and the US Secret Service recently launched an investigation into a wave of cyber attacks against financial institutions, including JPMorgan Chase, the nation’s largest bank by assets.

If Home Depot pans out to be a Target-sized breach then three of the biggest breaches in all of history will have been in the last year, which is exceptional

Jeff Williams, Contrast Security

Cyber security researchers said retailers were proving to be equally alluring targets because they hold massive amounts of financial data but their security systems are rarely as sophisticated as those of large banks.

The weak security on credit cards used in the US also makes it relatively easy for cyber thieves to steal the data, said Jaime Blasco, a researcher at security company AlienVault. Europe uses so-called “chip and pin” cards, which require a code to work. The US is only now requiring banks to use those more secure cards, a transition that will not be completed until next year.

“Most of the biggest breaches that we are seeing are happening here in the US, and the problem is with these old credit card systems,” said Mr Blasco. “In Europe we have been using chip and pin credit cards for 10 years, and we don’t have those problems any more.”

Mr Krebs said data suspected of being stolen from Home Depot were put up for sale on Tuesday via an underground online forum. Similarities with the Target breach, he wrote on his blog, suggested the same group of hackers could be responsible for both attacks.

Copyright The Financial Times Limited 2016. All rights reserved. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the web.

More on this topic

Suggestions below based on Cyber Security