NEW YORK (TheStreet) -- A possible data breach at Home Depot (HD) may have been much bigger than the one at Target (TGT) last year, according to security expert Brian Krebs, with malware infecting terminals at all of Home Depot's stores and data offered for sale that included stores' zip codes.
After learning of a possible breach from banks, Krebs found stolen numbers at a site called Rescator that had also offered stolen numbers from previous breaches, including the one at Target. He matched the zip codes in card numbers flagged by the banks to a list of Home Depot locations and got a 99.4% overlap.
Home Depot said in a statement sent to TheStreet that it has been working on reports of a breach since Tuesday and that it has "no higher priority" than gathering the facts in the case. It said customers will not be held liable for fraudulent charges. The company, though, hasn't confirmed a breach. It is investigating whether a breach has occurred.
On Tuesday morning, Home Depot shares traded as high as $92.75. Since then, the shares have fallen to Thursday's morning's opening price of $89. The stock was recently trading at $89.93, up 1%.
The breach that hit Target last year cost an estimated $148 million, and the company's CEO and head of security lost their jobs. The stock has not recovered to its pre-breach price.
"The Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers. If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target," Krebs wrote on his blog.
Since the data offered for sale included store zip codes, Krebs wrote, thieves may be able to buy card numbers from stores near them, create fake accounts and use them successfully, because banks may not block those numbers right away so as not to inconvenience actual customers.
Not all the news is bad here for the retailer. Home Depot stores in Canada were not affected, indicating that chip and pin technology thwarted the data thieves. The company also reportedly began to replace in-store terminals in June and that may have limited the damage.
Large retailers that have not replaced their in-store terminals in years may remain vulnerable to the same hack that hit Target and Home Depot.
The possible breach at Home Depot could have been much worse for some victims than the Target breach. That's because Home Depot often sells to businesses and their credit cards don't have the automatic fraud protections that consumer cards do, although a Home Depot spokeswoman said that the company won't hold business credit-card holders responsible for fraudulent charges.
The U.S. credit-card industry, which has 1.24 billion accounts connected to 1.54 million point of sale terminals, is switching from cards with magnetic stripes to cards with chips for all transactions, and liability for thefts will shift starting in October 2015 from merchants' banks to those of cardholders. Europe and Canada have long used this "chip-and-pin" technology and losses have dropped.
The payment industry can't get the new terminals, and cards, out quickly enough.
At the time of publication the author owned no shares in companies mentioned in this article.
This article is commentary by an independent contributor, separate from TheStreet's regular news coverage.
TheStreet Ratings team rates HOME DEPOT INC as a Buy with a ratings score of A+. TheStreet Ratings Team has this to say about their recommendation:
"We rate HOME DEPOT INC (HD) a BUY. This is based on the convergence of positive investment measures, which should help this stock outperform the majority of stocks that we rate. The company's strengths can be seen in multiple areas, such as its revenue growth, notable return on equity, good cash flow from operations, solid stock price performance and impressive record of earnings per share growth. We feel these strengths outweigh the fact that the company has had generally high debt management risk by most measures that we evaluated."
- You can view the full analysis from the report here: HD Ratings Report