After nearly a week of investigation, Home Depot on Monday confirmed that intruders had indeed broken into its payment networks and accessed credit and debit card data belonging to an unspecified number of customers who shopped at its U.S. and Canadian stores.
The statement announcing the breach did not detail the number of stores affected or the total number of cards compromised. It merely noted that the company is looking into the possibility that the breach occurred in April.
Home Depot also said there is no evidence that debit card personal identification numbers (PIN) were compromised. Nor is there evidence the breach affected any Home Depot stores in Mexico or purchases made online at the company's website.
The company added that it has been working around the clock to mitigate the situation since being told about the breach last Tuesday.
"We apologize for the frustration and anxiety this causes our customers," Frank Blake, chairman and CEO of Home Depot, said in the statement. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasize that no customers will be responsible for fraudulent charges."
The statement is interesting because it makes no mention at all of the potential size and scope of the breach.
According to security blogger Brian Krebs, who first reported the intrusion, evidence from the cyber underground suggests that nearly all of Home Depot's 2,200 stores in the U.S were impacted. The fact that the breach also appears to have remained undetected for more than three months suggests that it may end up being the biggest compromise of payment card data ever, Krebs noted.
In fact, the Home Depot breach could turn our to be several times larger than the one that Target experienced last December. More than 40 million payment cards were compromised in the Target breach.
The breaches highlighted escalating concerns over malware dubbed "Backoff" that infects point-of-sale (POS) systems and has affected over 1,000 U.S. businesses, according to federal law enforcement authorities. Security firm Kaspersky Labs, which conducted its own research of the Backoff malware, believes the number of affected businesses could be much higher.
If other large breaches are any indication, the data compromise at Home Depot could cost the retailer hundreds of millions of dollars in remediation expenses, fines and legal fees.
Since news of the breach went public, Home Depot's stock price has fallen by about 3%, from $93.11 per share last Tuesday to $90.82 on Monday. After the company confirmed the breach late Monday, its share price dropped by nearly another percentage point in after-hours trading.