Home Depot (HD) has confirmed the rumors that it was the victim of a massive credit card data breach, as initially reported by Krebs on Security last week. According to the company, the payment data systems for its U.S. and Canadian stores were compromised in a coordinated attack that stretches back into April.
The company said that anyone who used a debit or credit card at its U.S. or Canadian stores since April may have had their data stolen. The company notes that it has discovered no evidence that the breach impacted customers that shopped at Home Depot stores in Mexico or online at HomeDepot.com.
The company also said there is currently no evidence that debit PIN numbers were compromised in the breach, but noted that its investigation has not determined the “full scope, scale and impact” of the breach yet.
"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," said Frank Blake, chairman and CEO. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasize that no customers will be responsible for fraudulent charges to their accounts."
The initial Krebs report stated that a sizeable batch of stolen credit and debit cards went on sale in the “cybercrime underground” on Sept. 2 and that multiple banks were reporting that they are seeing evidence that the stolen credit data may have come from Home Depot stores.
Home Depot notes that it began its investigation as soon as it received the initial reports of a potential breach.
“Since then, the company's internal IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to rapidly gather facts and provide information to customers,” the company said in a release.
Home Depot also said that it has taken “aggressive steps” to address the malware that led to the breach and to protect customers’ data.
The company also announced that it is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April on, in an effort to combat any potential fraud that may take place as a result of the breach.
When the breach was initially reported, Krebs suggested that it may be far worse than the attack on Target in 2013. “If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period,” Krebs wrote in its initial report.