If you shopped at The Home Depot® store using your credit or debit card, your account information could be in the hands of hackers and may even be for sale online.
The Home Depot released details of its investigation into the hacking of its payment systems, warning customers that payment card data for those who shopped at Home Depot stores in the United States and Canada between April and September 2014 has been compromised by hackers.
The company says is was first made aware of the data breach on Sept. 2 when its banking partners and law enforcement notified the retailer of unusual activity related to its payment systems. Since then the company’s IT security team has worked with security firms, banking partners and the Secret Service to investigate how hackers got in and determine the magnitude of payment and customer data stolen.
They found that hackers used a unique, custom malware to target Home Depot payment terminals. The company has since closed off the hackers’ entry point and eliminated the malware from its systems. The cyber attack exposed payment card information for an estimated 56 million unique payment cards. It does not appear that hackers obtained debit card PINs or bank information for those paying by check.
According to The Detroit Free Press, payment card information stolen during the Home Depot data breach might already be for sale on “carding sites,” black market websites where stolen payment card data is bought and sold by thieves.
Card data from sales at retail stores in Mexico, and online at HomeDepot.com and HomeDepot.ca were not affected by the data breach.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, or guiding principle has been to put our customers first, and we will continue to do so.”
Card issuers or The Home Depot will be responsible for any fraudulent charges on customer cards. Consumers should review credit reports and payment card statements carefully, and immediately report any fraudulent charges to the financial institution that issued the card.
The company also told consumers to be alert for phone calls or emails that offer identity theft protection but are really phishing schemes designed to steal your information. Consumers should not click on links in emails. They should go directly to the Home Depot website or credit monitoring website by typing the web address in their browser.
Former employees are critical of Home Depot’s computer security practices and warned the company’s systems were vulnerable, reports the New York Times.
In a release, the company says it was already in the process of launching new security measures that provide enhanced encryption of payment data at point of sale checkouts in the company’s U.S. stores. The implementation began in January 2014 and was finished in U.S. stores on Sept. 13, 2014, with completion in Canadian stores slated for early 2015.
The Home Depot is offering a free identity protection and credit monitoring services to customers impacted by the data breach. HomeDepot.com has resources to help customers enroll in these programs or they may call 1-800-466-3337.