Home Depot's Data Breach: Worse Than We Thought

Home Depot store front

Home Depot's Data Breach: Worse Than We Thought
| published Sept. 23, 2014 |

By Thursday Review staff


Not long ago (less than nine months, as a matter of fact), one would have thought the massive data breach of Target’s point-of-sale infrastructure was the worst security breach we could imagine. Close on the heels of the Target cyber-attack—the worst of which took place during the peak of holiday shopping in the United States in November and December—came the news that both Neiman Marcus and Michael’s had also experienced similar data breaches.

The impact of these combined security failures may have compromised the credit card and debit card data of as many as 110 million people.

But things may have become worse. Home Depot’s massive data breach, which was originally thought to be limited in size and scope, has been revealed to have been just as large, if not larger, than the Target hacking event. Home Depot announced a few days ago that the breach it suffered has affected the credit cards and debit cards of at least 56 million people, but—more importantly—the heist may have included transactions and records totaling more than 90 million entries.

Home Depot said that its own investigations and those being conducted by law enforcement show no evidence that the breach exposed PIN numbers. The breach may have, however, exposed card numbers, landline phone numbers and cell numbers, physical addresses, account numbers, payment histories, and even purchase histories to the thieves. And unlike the Target, Neiman Marcus and Michael’s breaches, which may have lasted for only a short period of time, the Home Depot breach went undetected for many months.

Investigators are concerned that the length of the breach may have exposed those payment records and personal information to multiple hackers: the first hackers—using malware designed to trick the system—opened the door and took what they needed; the second and third sets of intruders may have simply found that vulnerable door unlocked and made off with some or all of the same data.

In the meantime, Home Depot says it has identified the weakness, sealed off the problem, and instituted security changes company-wide. One change is what Home Depot calls a payment and credit card revamping which will provide for encryption of customer data.

Home Depot has apologized for the incident and says it is cooperating with law enforcement to resolve the problem. The breach was first revealed earlier in September.

“We apologize to our customers,” said chairman and CEO Frank Blake last week, “for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began…our guiding principle has been to put our customers first.”

Like many businesses, especially those in the building and construction trades, Home Depot experienced sales setbacks during the winter months. A severe winter characterized by record-breaking low temperatures, heavy ice and snows put the brakes on Home Depots profits. But this spring, boosted by a better-than-expect surge in home construction, Home Depot saw its numbers improve. Analysts say that so far Home Depot has not shown any signs that customers are staying away from the retail giant as a direct result of the data breach. But since the long term cost of the breach is not yet known, business experts are guarded about the near future of Home Depot profits.

Related Thursday Review articles:

Target Misses the Target, Again; Thursday Review staff, Thursday Review; August 20, 2014.

How to Make Your Credit Card Safe, Remotely; Thursday Review; August 12, 2014.