Almost all U.S. Home Depot stores may have been hit by breach: new data

By Nandita Bose
A sign outside The Home Depot store is pictured in Monrovia, California August 13, 2012. REUTERS/Mario Anzuoni

By Nandita Bose

CHICAGO (Reuters) - Customer data could have been stolen from nearly all of Home Depot Inc's stores in the United States, according to new information released on Wednesday by security website KrebsonSecurity.

Brian Krebs, who runs the website, had said on Tuesday that the problem could affect all of Home Depot's 2,200 stores in the United States. On Wednesday, he said he found new evidence that the breach first surfaced on the website Rescator, where customer credit cards were listed according to store ZIP code. These codes showed a 99.4 percent overlap with Home Depot stores, he said.

In all, there were 1,939 codes corresponding to Home Depot store locations, Krebs' website said. It is not yet clear how many customers were impacted.

Home Depot has not confirmed that a breach occurred. Company spokeswoman Paula Drake said the retailer is working with leading IT security firms, including Symantec Corp and FishNet Security, to investigate whether there has been a data breach.

"Our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning," she said.

The retailer sought to reassure customers on Wednesday that they will not be held responsible for any possible fraudulent charges. It also asked them to closely monitor their accounts and said it will offer free identity-protection services, including credit monitoring, to any customers who may have been affected.

Home Depot could be the latest in a string of retailers to have been hit by security breaches in the recent past. If confirmed, the Home Depot breach could be among the worst.

U.S. retailers have been slow to adopt chip-reading technology on their terminals as most Americans do not carry chip-enabled cards.

In one of the most serious incidents, hackers last year stole at least 40 million payment card numbers and 70 million other pieces of customer data from Target Corp .

The largest-known breach at a U.S. retailer, however, was uncovered in 2007, at TJX Cos Inc , operator of the T.J. Maxx and Marshalls chains, where more than 90 million credit cards were stolen over about 18 months.

In some situations, companies that conduct investigations into data breaches may not be able to come to a definitive conclusion. For instance, Sears Holdings Corp said in February that an investigation into a possible data breach did not reveal conclusive information.

Home Depot shares fell 2.4 percent to close at $89.00 on the New York Stock Exchange on Wednesday.

(Additional reporting by Mark Hosenball in Washington; editing by Matthew Lewis)