After 6 Days, Home Depot Admits Payment-Systems Breach

Senior editor, security and privacy
Updated

A Home Depot store in Knightdale, North Carolina. Credit: Ildar Sagdejev/Creative CommonsA Home Depot store in Knightdale, North Carolina. Credit: Ildar Sagdejev/Creative Commons

UPDATED 9:15 a.m. EDT Tuesday (Sept. 9) with more information from security blogger Brian Krebs.

Nearly a week after news first broke that big-box retailer Home Depot may have been hit by a massive theft of customer credit-card numbers, the company finally admitted late today (Sept. 8) that something went very wrong.

In a statement posted to its website, Home Depot wrote:

"Last Tuesday, Sept. 2, we disclosed that we were investigating a possible breach of our payment data systems. We want you to know that we have now confirmed that those systems have in fact been breached, which could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward. We do not have any evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com."

MORE: How to Survive a Data Breach

In a FAQ accompanying the release, Home Depot said that PINs for debit cards had not been stolen. (Stolen debit cards can also be used without PINs.)

Home Depot did not state exactly how its payment systems were breached, enumerate how many stores were hit or estimate how many customer credit and debit cards may have been affected. It did repeatedly state that it would offer identity protection for affected customers for a year, and directed those customers to a website, homedepot.allclearid.com, where they could sign up. Home Depot also posted a document entitled "How to Prevent Identity Theft."

A week of waiting

The first inkling of a Home Depot data breach was posted Sept. 2 on the blog of independent security reporter Brian Krebs, who said he'd received multiple reports of an enormous "dump" of stolen credit- and debit-card numbers, all of which had been used at Home Depot. A Home Depot spokeswoman told Krebs there had been "unusual activity" in the company's payment-processing systems, and a statement posted on the Home Depot website the next day said about as little.

On Sept. 4, Krebs revealed that a sample of the stolen cards he'd been able to analyze showed that the billing ZIP codes for the cards were a nearly perfect match for the locations of Home Depot retail stores. Yesterday (Sept. 7), Krebs said he'd been told that malware found in Home Depot's point-of-sale systems was a variant of the malware that was used to steal 40 million credit cards from Target stores last fall.

Those 40 million credit cards were stolen from approximately 1,800 Target stores in the U.S. over the course of three and a half weeks. By contrast, the Home Depot card theft affected all 2,200 stores in the U.S. and Canada over at least four months. The total number of cards stolen from Home Depot will likely be much more than 40 million.

What to do now

Anyone who used a consumer credit, debit or charge card at a Home Depot store in the U.S. or Canada after April 1, 2014, needs to keep a close eye on their accounts for the next several weeks.

If any fraudulent or suspicious activity is seen, report it to your card's issuing financial institution immediately. Consumers whose card numbers are stolen are liable for a maximum of only $50 in case of fraudulent card charges, provided the fraud is reported in a timely manner. The fraud-reporting grace period is 60 days for credit cards, but can be as little as two business days for debit cards.

The situation is potentially much more serious for holders of payment cards tied to business accounts. Anyone who used a business credit, debit or charge card at a Home Depot store in the U.S. or Canada after April 1, 2014 needs to contact the card issuer immediately to establish what kind of fraud protection the card has.

Many state laws do not protect business credit cards from fraudulent activity as strongly as consumer cards are protected. It's possible that small businesses and, especially, independent contractors may be liable for some of the fraudulent charges rung up on their cards, at least in the short term. (We can expect to see lawsuits against Home Depot for any disputed charges.)

The smokescreen of identity protection

Home Depot's offer of identity protection to affected customers can be seen as generous. Yet it's questionable how useful identity-protection programs are to victims of credit-card theft, which is normally less serious than identity theft.

Having a credit-card number stolen does not increase the risk of identity theft, unless identification information is stolen as well. Most stolen cards can be actively used for only a few hours before they are blocked.

Stolen credit or debit cards cannot be used to open new accounts in the holder's name, and even a completely duplicated credit card is never accepted as a form of identification. It's much worse for someone else to have a fake driver's license in your name than to have your credit-card number.

UPDATE: In a blog posting Monday evening, Krebs said he has received multiple reports of spikes in fraudulent ATM withdrawals concerning debit-card numbers stolen from Home Depot.

In the Home Depot card dump, each card's data included the ZIP code of the store from which it was stolen. Provided the legitimate cardholder lives near the store, Krebs contended, that ZIP code might be, when combined with the cardholder's full name, enough to get criminals started on hunting down the legitimate user's date of birth and Social Security number.

Legal and illegal services exist that will provide such information for a fee. If a criminal obtains a debit-card holder's name, date of birth and Social Security number, Krebs said, he can use those three data points, along with the card expiration date (already part of the stolen data), to call the card issuer's help line and reset the card's PIN. 

With a Social Security number, date of birth and full name, a criminal can also open new accounts, and even file false tax returns, in the cardholder's name. Perhaps signing up for the Home Depot free identity-protection program isn't such a bad idea.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.