Home Depot data breach was bigger than Target's. Were you affected?
Loading...
| New York
Home聽Depot聽said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers.
The size of the theft at聽Home聽Depot聽trails only that of TJX Companies' heist of 90 million records disclosed in 2007. Target's breach compromised 40 million credit and debit cards.
Home聽Depot, the nation's largest聽home聽improvement retailer, said that the malware used in the data breach that took place between April and September has been eliminated.
It said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online at Homedepot.com. It said it has also completed a "major" payment security project that provides enhanced encryption of customers' payment data in the company's U.S. stores.
But unlike Target's breach, which sent the retailer's sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based聽Home聽Depot. Still, the breach's ultimate cost to the company remains unknown. Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars, similar to Target's breach.
"This is a massive breach, and a lot of people are affected," said John Kindervag, vice president and principal analyst at Forrester Research. But he added, "Home聽Depot聽is very lucky that Target happened because there is this numbness factor."
Customers appear to be growing used to breaches, following a string of them this past year, including at Michaels, SuperValu and Neiman Marcus.聽Home聽Depot聽might have also benefited from the disclosure of the breach coming in September, months after the spring season, which is the busiest time of year for聽home聽improvement.聽
And unlike Target, which has a myriad of competitors, analysts note that home-improvement shoppers don't have many options. Moreover,Home聽Depot's聽customer base is different from Target's. Nearly 40 percent of聽Home聽Depot's聽sales come from professional and contractor services. Those buyers tend to be fiercely loyal and shop a couple of times a week for supplies.
Home聽Depot聽on Thursday confirmed its sales-growth estimates for the fiscal year and said it expects to earn $4.54 per share in fiscal 2014, up 2 cents from its prior guidance. The company's fiscal 2014 outlook includes estimates for the cost to investigate the data breach, providing credit monitoring services to its customers, increasing call center staffing and paying legal and professional services.
However, the profit guidance doesn't include potential yet-to-be determined losses related to the breach. The company said it has not yet estimated costs beyond those included in the guidance issued Thursday. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental investigations and enforcement proceedings.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,"聽Home聽Depot's聽chairman and CEO, Frank Blake, said in a statement. "From the time this investigation began, our guiding principal has been to put our customers first, and we will continue to do so."
Earlier this month, the Monitor reported on what steps customers affected by data breaches could take to minimize the damage:聽
鈥淭he problem with security is that it is like insurance. It is something you have to invest in up front, and the attack may or may not happen," said Phil Montgomery, executive vice president of Identiv, a security firm.聽"It鈥檚 hard for businesses to know that they should invest in security because of the uncertainty, but they are risking the confidence of consumers if breached, which is happening with regularity.鈥
With each breach, businesses are losing business and consumer confidence. Thus far, Target has spent $146 million in breach-related expenses, not including insurance payments.
鈥淐yber attacks probably aren鈥檛 going to go away anytime soon because security is going to require a big investment,鈥 Cobb says. 鈥淧ayment technology needs to be seriously upgraded. People have been saying this for many years, but now we are seeing the consequences for it not happening.鈥
What should you do if you shopped at Home Depot during the time of the possible breach?
The only thing customers can do right now is keep an eye on bank statements, according to the Federal Trade Commission. That includes comparing receipts to your bank statement, check any bills that you receive to make sure they were your purchases, and letting your credit card issuer know if there are any questionable charges. Customers can also keep an eye out for an email from their credit card company regarding possible fraud.
The breach at聽Home聽Depot聽was first reported on Sept. 2 by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity.
Target's high-profile breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards. Supporters say chip cards are safer, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer's register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards are also nearly impossible to copy, experts say.
Target has been overhauling its security department and systems and is accelerating its $100 million plan to roll out chip-based credit card technology in all of its nearly 1,800 stores.聽Home聽Depot聽said it will be activating chip-enabled checkout terminals at all of its U.S. stores by the end of the year.