Home improvement retailer Home Depot is still investigating a possible breach where cyber-criminals may have stolen credit and debit card details from nearly all of its 2,200 stores in the United States this year. Krebs on Security first reported the alleged breach on Tuesday.
Home Depot CEO Frank Blake told investors at the Goldman Sachs Annual Retailing Conference on Thursday that Home Depot had learned of the possible breach on Tuesday and the retailer and its partners were “working around the clock to find the breach.” However, he did not confirm that a breach had occurred.
On Wednesday, Home Depot released the following statement: “We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate. We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately.”
If the breach is confirmed, it would be the most widespread attack in recent months, overshadowing even Target, where cyber-criminals late last year stole at least 40 million payment card numbers and 70 million other pieces of personal information.
Previous reports have said Home Depot is working with Symantec and Fishnet Security in its investigation. Home Depot has also reportedly been in contact with the U.S. Secret Service, a law enforcement source told Reuters Thursday.
At this point, there is a lot that is still unknown. Home Depot has not elaborated on the nature of its investigation, when the unusual activity was discovered, how long the issue may have been present, or how many stores may have been affected.
Krebs on Security analyzed what is believed to be the cache of stolen cards from Home Depot to determine the geographic distribution of the victims. The analysis had a near 99 percent correlation with areas Home Depot has a location, making it likely nearly every location has been affected in this incident.
The recent wave of data breaches at major retailers have exposed the poor security surrounding point-of-sale systems, and the level of unpreparedness of the retail industry overall. Many banks have accelerated their timetables for issuing credit and debit cards embedded with chips, as they are more secure than the traditional cards with data stored on the magnetic stripe. Many retailers have been rolling out new credit card terminals to accept these new cards.
Ironically, Home Depot has been among the most aggressive among U.S. retailers to install these terminals. Blake said Home Depot had not yet activated the chip-reading technology on these terminals, but will do so before the end of the year.