Home Depot Inc., the largest home- improvement chain, confirmed that hackers attacked its computer systems at stores in the U.S. and Canada in what could be one of the retail industry’s biggest breaches.
While payment systems were infiltrated, there is no evidence that debit-card PINs have been compromised, the company said in a statement yesterday. Home Depot, which didn’t disclose how many customers may have been affected, said the continuing investigation is focused on purchases made since April. The New York Times reported yesterday that the breach could involve more than 60 million credit-card numbers, citing a person familiar with the investigation.
Home Depot is the latest U.S. retailer to suffer a data breach from hackers, following attacks at Target Corp., Supervalu Inc. and Neiman Marcus Group Ltd. As the list of victims increases, the retail industry is under escalating pressure to improve the security of computer systems and credit cards.
“I don’t know why the retailers aren’t waking up and doing something,” Tomer Weingarten, chief executive officer of online security firm SentinelOne in Mountain View, California, said in a phone interview. “It seems like Target should have been a very big wake-up call.”
The U.S. Secret Service is also looking into the possibility that the hackers who breached Target are behind the Home Depot attack, according to a government official who wasn’t authorized to speak publicly.
Home Depot shares fell 1.2 percent to $89.71 at 11:34 a.m. in New York. The stock had gained 10 percent for the year through yesterday.
The retailer said last week that it only learned of a possible breach after independent journalist Brian Krebs reported on Sept. 2 that hackers may have stolen customer data and made counterfeit credit- and debit-cards. It’s been investigating the matter since.
Home Depot said yesterday that there’s no evidence that the breach affected online shoppers or stores in Mexico. The chain said it is giving identity protection and credit monitoring to anyone who used a payment card in a Home Depot store since April. Target made a similar offer after its breach.
Atlanta-based Home Depot had been on a roll with the rebounding housing market helping lift sales. The stock rose to an all-time high on Aug. 29, the last trading day before the retailer acknowledged a breach may have occurred.
Now Home Depot is working to restore confidence with its customers while also transitioning to a new chief executive officer. Craig Menear, the chain’s president of U.S. retail, will succeed CEO Frank Blake on Nov. 1. Blake, who took over in 2007, will remain chairman of the board.
While the financial impact on Home Depot remains to be seen, Target has already booked charges. As of Aug. 2, the discounter recorded $146 million in expenses related to the breach in which data for 40 million accounts were stolen. Part of the expenses include an estimate on claims yet to be made by the credit card companies.
More than 100 lawsuits have been filed against Target relating to the breach. The chain also blamed the attack, which became public in December, for a sales decline in the fourth quarter. In response, it’s spending $100 million to improve its security, including equipping company-issued credit cards with “chip and pin” technology, which is considered harder to hack.
The sales impact on Home Depot may be muted because this breach was disclosed in September when Home Depot’s key selling season during the first half of the year was already behind it, according to Bloomberg Intelligence. Disclosure of the Target breach happened during the heart of the holiday shopping season.