Home Depot said Thursday that 56 million payment cards used at its American and Canadian stores between April and September were compromised by a type of criminal software that hadn’t previously been seen in other attacks.
The Atlanta-based home improvement retailer said any terminal with the malware has been taken out of service and that it completed introducing new encrypted terminals in all of its U.S. stores on Sept. 13, less than two weeks after the attack was discovered.
Home Depot says it will complete installing new encrypted terminals at its Canadian stores early next year but added they are already equipped to handle credit cards with embedded chips and personal identification numbers.
The company continues to say there is no evidence that debit card personal identification numbers have been compromised or that online shoppers were affected at homedepot.ca or homedepot.com.
Its Mexican stores were also apparently unaffected by the breach.
“We apologize for the frustration and inconvenience this breach may have caused,” the company said in a new posting on its website.
“We also want to emphasize that you will not be liable for any fraudulent charges to your accounts, and we’re offering free identity protection services, including credit monitoring, to any customer who has shopped at a Home Depot store in 2014, from April on.”
However, the Merchant Law Group–one of Canada’s prominent class-action firms–filed a suit on Wednesday that will seek financial compensation for all Canadians affected by the Home Depot breach between April and Sept. 2.
“What Home Depot has offered is the most minimal kind of assistance. It’s just not adequate,” Tony Merchant said Thursday from the group’s office in Calgary.
Merchant said that a Canadian class action against the Winners and Home Sense retail chains several years ago, after its parent TJX was the victim of a breach, obtained vouchers of between $30 and $60 as compensation and members of the class with significant out-of-pocket expenses were able to get repayment through the process.
And importantly for society, he added, the Winner-HomeSense class action negotiated changes to the way customer information was protected.
“And the same thing has to happen here,” Merchant said.
The representative plaintiff is Martin Knuth, who says he used a swipe credit card several times at a Home Depot store in Regina, including on June 13, 2014. The suit was filed with a Saskatchewan’s Court of Queen’s Bench, in Regina.
Home Depot has a total of 2,264 stores in North America, including 287 in Canada and Mexico.
Security experts have said that chip-and-pin credit cards are less vulnerable to certain types of breach, particularly in stores, but hackers may used other techniques such as grabbing information off online transactions where the card number and password is entered by the consumer.
It’s the second-largest breach for a U.S. retailer on record, behind TJX Cos.’s theft of 90 million records, disclosed in 2007, and ahead of Target’s pre-Christmas 2013 breach that compromised 40 million credit and debit cards.
But unlike Target’s breach, which sent the retailer’s sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based Home Depot. Still, the breach’s ultimate cost to the company remains unknown. Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars, similar to Target’s breach.
“This is a massive breach, and a lot of people are affected,” said John Kindervag, vice-president and principal analyst at Forrester Research. But he added, “Home Depot is very lucky that Target happened because there is this numbness factor.”
Customers appear to be growing used to breaches, following a string of them this past year, including at Michaels, SuperValu and Neiman Marcus. Home Depot might have also benefited from the disclosure of the breach coming in September, months after the spring season, which is the busiest time of year for home improvement.
And unlike Target, which has a myriad of competitors, analysts note that home-improvement shoppers don’t have many options. Moreover, Home Depot’s customer base is different from Target’s. Nearly 40% of Home Depot’s sales come from professional and contractor services. Those buyers tend to be fiercely loyal and shop a couple of times a week for supplies.
Home Depot on Thursday confirmed its sales-growth estimates for the fiscal year and said it expects to earn $4.54 per share in fiscal 2014, up 2 cents from its prior guidance. The company’s fiscal 2014 outlook includes estimates for the cost to investigate the data breach, providing credit monitoring services to its customers, increasing call centre staffing and paying legal and professional services.
However, the profit guidance doesn’t include potential yet-to-be determined losses related to the breach. The company said it has not yet estimated costs beyond those included in the guidance issued Thursday. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental investigations and enforcement proceedings.
The breach at Home Depot was first reported on Sept. 2 by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity.
Target’s high-profile breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards. Supporters say chip cards are safer, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer’s register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards are also nearly impossible to copy, experts say.
Target has been overhauling its security department and systems and is accelerating its $100 million plan to roll out chip-based credit card technology in all of its nearly 1,800 stores. Home Depot said it will be activating chip-enabled checkout terminals at all of its U.S. stores by the end of the year.