Media Moves

Coverage: Home Depot admits data breach

September 9, 2014

Posted by Liz Hester

Cyber criminals continue to steal data from some of the largest companies. This time it was Home Depot customers to suffer the loss of privacy and the hassle of trying to protect their identities.

The Wall Street Journal story by Shelly Banjo and Danny Yadron had these details:

Home Depot Inc. confirmed Monday that its payment systems were breached at nearly 2,200 U.S. and Canadian stores in a cyberattack that may have stretched back to April.

The company said it is working aggressively to root out the malware that infected its data systems and protect its customer data, but stopped short of addressing when or whether the breach had ended.

The acknowledgment is the result of an investigation begun by the home-improvement company a week ago after it received reports from banks and law enforcement that its payment data systems may have been hacked.

Since then, it has been working with the Secret Service and banks, as well as with computer security firms Symantec Corp. and Fishnet Security, to determine whether it had been hacked and uncover the software responsible.

Law enforcement and payment officials were concerned about the potential scale of the attack, since it may have persisted for more than four months, much longer than the holiday season attack on Target Corp. that compromised data from 40 million credit- and debit-card accounts. One person familiar with parts of the investigation said tens of millions of cards may have been affected.

Nathan Layne wrote for Reuters about the contrast in communications strategies between Home Depot and Target in disclosing the data breach:

Home Depot Inc (HD.N) is being tight-lipped about its possible credit card breach, the opposite approach to the one Target Corp (TGT.N) took nearly a year ago.

Almost a week after security blogger Brian Krebs warned that Home Depot could be the victim of a breach extending to more than 2,000 U.S. stores, the home improvement chain has not confirmed or denied that one had occurred. The company said Tuesday that it was working with authorities to investigate the matter.

By contrast, Target made initial disclosures on its breach’s scope but later revised them in a series of updates that confused and angered consumers, hitting sales and contributing to Chief Executive Officer Gregg Steinhafel’s departure.

In its minimalist communication strategy, Home Depot likely is drawing lessons from Target, avoiding an incremental approach that risks giving the impression that it does not have a complete grasp of the problem, crisis management experts said.

“When you have criminal behavior, you don’t know right away what all the ramifications are,” said Davia Temin, head of a consultancy focused on crisis and reputation management. “It’s really hard when you are trying to overcommunicate not to misstate reality.”

Target in December used its first disclosure to say 40 million credit and debit cards might have been compromised. A week later it said encrypted PIN data had been stolen. And in January, it said data on up to 70 million people might have been taken.

Target spokeswoman Molly Snyder said the company had moved quickly to inform customers as facts were uncovered during a complex investigation.

The New York Times reported that many believe that Home Depot didn’t handle the breach well, according to Nicole Perlroth:

“Honestly, Home Depot is in trouble here,” said Eric W. Cowperthwaite, vice president of Core Security, an Internet-security consulting company. Mr. Cowperthwaite noted that it was a security blogger, Brian Krebs, not the company, that first reported the breach.

“This is not how you handle a significant security breach, nor will it provide any sort of confidence that Home Depot can solve the problem going forward,” Mr. Cowperthwaite said.

Last week, before Home Depot confirmed the attack, customers in Georgia had already filed a class-action lawsuit against the retailer for failing to protect customers from fraud and not alerting them to the breach in a timely manner.

Home Depot said it would offer free identity protection and credit-monitoring services to any customer who had used a credit or debit card at any of its affected stores.

The USA Today story by Elizabeth Weise reported that Home Depot was going to change credit cards to those with higher security:

Credit card security breaches can cause companies significant losses. Target is still recovering from a massive data breach it suffered last holiday season in which 40 million card accounts and the personal information of up to an additional 70 million people were compromised.

“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Frank Blake, chairman and CEO.

In the SEC filing, the company said that in response to the threat of cyber-attacks, it will roll out “Chip and PIN” cards to all U.S. stores by the end of this year. These cards contain an embedded microprocessor chip that stores and protect cardholder data.

The financial payments industry has established October 2015 as the deadline for companies to switch to the more secure cards.

Home Depot’s sparse communication is making some unhappy but could pay off in the long run given that Target had so much trouble with its disclosures. The upside for consumers is that they’ll get more secure credit cards before the deadline. It’s also clear that those in the cyber security business are only going to be busier as more and more companies come under attack.

Subscribe to TBN

Receive updates about new stories in the industry daily or weekly.

Subscribe to TBN

Receive updates about new stories in the industry.