Home Depot Confirms Data Breach but Gives Few Details

A week after admitting it was investigating a possible security breach, Home Depot confirms that it happened.

Home Depot POS Malware

U.S. retail giant Home Depot publicly confirmed Sept. 8 that it was the victim of a data breach. Home Depot first disclosed that it was investigating a possible breach on Sept. 2 and has been working since then to figure out what, in fact, happened.

Credit cards used at Home Depot stores in both the United States and Canada are potentially at risk from the breach, while Homedepot.com online users are not. Additionally, Home Depot does not have any evidence the debit card PIN numbers were compromised in the attack.

While Home Depot is now confirming the attack, the company admitted that its systems might have been breached as far back as April of this year.

Home Depot is not providing any specific details on the total number of user accounts that might have been compromised or how many of its 2,266 stores are involved in the breach. Additionally, while there has been some speculation that the Backoff malware family is the root cause of the breach, Home Depot itself has not confirmed any such detail.

The Backoff point-of-sale (POS) malware family has affected 1,000 U.S. retailers according to security firm Trustwave and the U.S Secret Service. Backoff isn't the only POS malware that has been named in recent data breaches. Goodwill Industries recently confirmed that its stores were breached by the "rawpos" malware strain.

Home Depot spokesperson Paula Drake told eWEEK that the company's public press release contains all of the details it is releasing at this time.

"The investigation is still under way," Drake said. "Our focus today is to confirm a breach of our payment data systems and let customers know what steps they should take."

Home Depot is reassuring its customers that they are not going to be responsible for any fraudulent charges. Home Depot is also offering free identity protection services to its customers.

"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," Frank Blake, chairman and CEO of Home Depot, said in a statement. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred."

With its confirmation, Home Depot now joins an expanding roster of retailers that have publicly disclosed customer information breaches over the last 10 months. Target confirmed that last December it was the victim of a breach that now carries a price tag of $148 million in damages.

Retailers in the United States that take credit cards are all supposed to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), which should potentially limit the risk of data breaches. That said, Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, told eWEEK that it would appear, based on what is known, that Home Depot should have been better prepared and likely they are not fully PCI DSS-compliant.

"For the time being, I'll only be using cash at Home Depot," Cowperthwaite said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.