"When you are in a situation like this you have a choice," said Home Depot CEO Frank Blake. "On the one hand, you can wait to communicate anything until you have the facts at hand, or you can communicate the facts as you know them. We chose the latter path."
The retailer began an investigation on Tuesday, September 2, after receiving reports from its banking partners and law enforcement that criminals may have hacked its payment data systems. Since then, Home Depot's internal IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to gather facts and provide information to customers as quickly as possible.
"The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores," according to Brian Krebs of Krebs on Security. "But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs."
"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," Blake noted. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasize that no customers will be responsible for fraudulent charges to their accounts."
The retailer is still working with investigators to determine the full scope, scale and impact of the breach, however, as of now, there is no evidence that debit PIN numbers have been compromised. The investigation is focused on April 2014 to current, and the retailer is moving aggressively to protect customer data and address the malware.
What's most critical? The card data stolen from Home Depot customers and now for sale on the crime shop includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder's full name and city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device), according to Krebs.
In the meantime, free identity protection services, including credit monitoring, are being offered to any customer who used a payment card at a Home Depot store in 2014, from April on. Responding to the increasing threat of cyber-attacks on the retail industry, Home Depot previously reported it will roll out EMV chip-and-PIN to all U.S. stores by the end of this year – well ahead of the October 2015 deadline.