Multinational home-improvement retailer Home Depot Inc. will not say if any Canadians may have been the target of a possible security breach that could compromise customers’ debit and credit card data.
The company, based in Atlanta, said Wednesday in a note to customers on its website that it is looking into “some unusual activity that might indicate a possible data breach,” and that it is working with its banking partners and police to investigate.
It said that if it confirms there has been a breach, it will notify customers immediately.
Home Depot has 2,263 stores, and 180 of those are in Canada. Spokeswoman Paula Drake would not reveal if the investigation includes the firm’s Canadian operations, although she did say that the website message was meant for “every Home Depot customer there is out there.”
The issue was first reported Tuesday by the security news website Krebs on Security, run by computer security expert Brian Krebs. He said several banks had reported seeing evidence that Home Depot outlets “may be the source of a massive new batch of stolen credit and debit cards.”
In a posting Wednesday, Mr. Krebs said analysis of card data posted on a “cybercrime store” website strongly suggests that a spate of stolen credit card information recently put up for sale came from Home Depot.
Mr. Krebs said banks believe the breach may have begun in April or May. If that is the case “this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”
Just before Christmas last year, Target said that credit and debit card information on millions of customers had been stolen. The breach, and the work to rectify it, cut into the company’s fourth-quarter profit. Some of Target’s Canadian customers were affected by that breach.
In its note to customers, Home Depot said that if it finds there was a security breach, clients will not be responsible for any fraudulent charges. It also said that it will offer free identity protection services to anyone whose account has been compromised.