NEW YORK (TheStreet) -- Home Depot (HD) - Get Report has acknowledged the credit card breach reported last week but has yet to offer details, which instead are coming mainly from a security blogger named Brian Krebs, formerly a reporter at The Washington Post.
Although the company has yet to acknowledge the full extent of the breach, millions of card numbers may be for sale through a crime shop called Rescator.
According to Krebs' blog, the damage may not be limited to Home Depot. Because thieves stole customers' addresses and those of the stores from which data were stolen, as well as card numbers, and because so many stolen numbers are now in circulation, some thieves have been able to change the PINs used on victims' ATM cards and clear accounts of cash. One large West Coast bank lost $300,000 in a matter of hours, Krebs reported.
The fraud points to a more general problem with bank security, Krebs wrote, the ability of people to change PINs with a phone call through a Voice Response Unit. When a thief obtains a full name and address, they are often able to obtain other data, such as a victim's date of birth and Social Security number, allowing this fraud to take place.
Krebs reports that the malware infecting Home Depot point-of-sale systems is a version of the BlackPOS program that infected Target (TGT) - Get Report last year, which runs under Microsoft (MSFT) - Get Report Windows. The new version, according to Trend Micro, can capture all numbers in a cash register's memory, not just ongoing transactions.
In a statement, Home Depot acknowledged that its problems began in April and that it was alerted to them by banks on Sept. 2. The source of the infection is still being investigated, the statement said, as is the extent of the damage. The hack involved stores in the U.S. and Canada, but not the company's online operations.
Since Sept. 2, Home Depot shares have fallen from almost $93 to their level midmorning Tuesday of about $89.78, an estimated loss in market cap of about $4.3 billion. The company gave an upbeat report at a Goldman Sachs conference last week, and TheStreet still rates the stock as a buy.
In its statement, Home Depot says it will convert all stores to chip-and-pin technology, which is more secure, by the end of this year, and repeated that customers will not be liable for losses. It also offered free credit monitoring services to victims. It has put up a page of questions-and-answers for customers.
Rescator, the hacker on whose site Krebs first found compromised card numbers, is continuing to push out new numbers for sale, Krebs wrote. While investigating the Target breach, Krebs identified Rescator as a young programmer in the Ukraine with profoundly anti-American views.
The bottom line is that it remains difficult to find a bottom line until Home Depot details the full extent of what happened.
At the time the author owned no shares in companies mentioned in this story.
This article is commentary by an independent contributor, separate from TheStreet's regular news coverage.
TheStreet Ratings team rates HOME DEPOT INC as a Buy with a ratings score of A+. TheStreet Ratings Team has this to say about their recommendation:
"We rate HOME DEPOT INC (HD) a BUY. This is based on the convergence of positive investment measures, which should help this stock outperform the majority of stocks that we rate. The company's strengths can be seen in multiple areas, such as its revenue growth, notable return on equity, good cash flow from operations, solid stock price performance and impressive record of earnings per share growth. We feel these strengths outweigh the fact that the company has had generally high debt management risk by most measures that we evaluated."
You can view the full analysis from the report here: HD Ratings Report