NEW YORK (MainStreet) — It took Home Depot Inc. one week to confirm what has been widely reported: a massive credit and debit card breach that has quite likely impacted all 2,200 stores in the U.S., as well as locations in Canada. It’s a security compromise that security expert Brian Krebs says could be “many times larger than Target,” and has remained undetected for months – possibly since April or early May.
“Last Tuesday, September 2, we disclosed that we were investigating a possible breach of our payment data systems," says a message posted on the company’s website. "We want you to know that we have now confirmed that those systems have in fact been breached, which could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward. We do not have any evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com. While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised.”
Krebs says “multiple financial institutions” are reporting a steep increase in fraudulent ATM withdrawals over the past few days.
“The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores," Krebs wrote on his blog. "But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.”
Krebs reports that the card data stolen from Home Depot customers and currently for sale on the black market contains ample information for the perpetrators to fabricate counterfeit debit cards – as well as enough personal data to tap bank accounts.
It’s already happening, according to KrebsOnSecurity. A West Coast bank reported losing $300,000 in just two hours from debit cards involved in The Home Depot breach.
The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a credit or debit card at a company store since April of this year.
Investigators believe a new variant of the malware that lifted account data from point of sale payment terminals in Target last year was used in the Home Depot crime, indicating the hackers have been at work practically non-stop. The stolen card data is being touted on the black market with an “American Sanctions” label, once again raising suspicions of foreign perpetrators. Krebs says that this breach may dwarf the Target hack.
“If even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period,” he says.
--Written by Hal M. Bundrick for MainStreet