One of the biggest investigations into retail data theft is under way after Home Depot confirmed that Canadian and American customers at its home improvement stores could have been affected since April by a breach of its payment card system.
“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” Home Depot said in a statement. But that means that credit cards could have been compromised.
However, over the past two years Canadian credit card issuers have been giving customers cards with smart chips, which are much more secure and very difficult to copy than the standard chip-less cards common in the U.S. That should mean that Canadian customers of the chain were better protected than U.S. shoppers.
But not all Canadian banks have converted their customers’ debit cards and cash withdrawal cards to smart cards as quickly. While I’ve had smart credit cards for over a year, my bank only sent me a chip enabled debit/withdrawal card two weeks ago.
Ever since the huge data breach at Target discount department stores in the U.S. was revealed earlier this year security industry experts have been saying the impact of the loss could have been greatly reduced had U.S. credit card companies switched to smart cards.
Earlier Home Depot said it will roll out EMV “Chip and PIN” to all U.S. stores by the end of this year, ahead of the October 2015 deadline established by the payments industry.
Home Depot “has taken aggressive steps to address the malware and protect customer data,” the company’s statement said. It is offering free identity protection services, including credit monitoring, to any customer who used a payment card at one of its store from the beginning of April.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” company chair and CEO Frank Blake said in the statement. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”
Home Depot says it is the world’s largest home improvement specialty retailer, with 2,266 retail stores in all 50 U.S. states, the District of Columbia, Puerto Rico, U.S. Virgin Islands, Guam, 10 Canadian provinces and Mexico. There is no evidence the data breach hit the stores in Mexico.
According to security blogger Brian Krebs, who broke the story of the Home Depot breach, one of the big problems is that thieves have been quickly changing the PIN numbers on debit cards that had been used at Home Depot to withdraw hundreds of thousands of dollars in cash from ATMs, include bank machines in Canada.
They were able to do it because some banks allow automated PIN resets if the caller has certain ID information, including the customer’s date of birth, Social Security number.
He also said sources have told him the Home Depot breach was done with a variant of the same malware used to hit Target’s Windows-based POS machines.