Home Depot Inc.’s investigation of a suspected hacker attack is renewing pressure on retailers and credit-card providers to strengthen payment-system security.
The largest home-improvement chain said yesterday that it was working with banks and law enforcement on the possible incursion, following a report by KrebsOnSecurity that a “massive” batch of stolen credit- and debit-card information was posted for sale online.
The probe comes a week after Bloomberg News reported that JPMorgan Chase & Co. and at least four other banks were targeted by hackers in a coordinated attack. Celebrities relying on Apple Inc.’s iCloud service to store photos also had nude pictures stolen and posted online in recent days, showing that both corporations and individuals need to tighten up security practices. Target Corp., Supervalu Inc. and Neiman Marcus Group Ltd. are among retail chains that have recently endured attacks.
“The criminals are getting smarter faster than the companies,” said Jaime Katz, an analyst at Morningstar Inc. in Chicago. If the Home Depot breach is on the same scale as Target’s incident last year, “there is obviously significant concern,” she said.
Home Depot has 2,263 stores, and 180 of those are in Canada. Spokeswoman Paula Drake would not reveal if the investigation includes the firm’s Canadian operations, although she did say that the website message was meant for “every Home Depot customer there is out there.”
The incident raises fresh questions about retailers’ slow adoption of “chip and PIN” technology, which makes cards more secure, said Michael Sutton, vice president of security research for San Jose, California-based cloud-computing company Zscaler Inc.
“Retailers are now seeing first-hand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach,” Sutton said.
Some U.S. companies have fallen behind schedule in updating their systems with the technology, also known as EMV – short for Europay-MasterCard-Visa, the companies that first backed the approach. Credit-card networks have set an October, 2015, deadline for most U.S. merchants to upgrade their payment systems.
EMV is considered more secure because it’s harder to copy account numbers and security codes from chips than from the magnetic strips on most cards used in the U.S. EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards.
“The technology has not been widely adopted in the U.S., primarily due to lobbying by retailers who were concerned about the cost of implementing the technology,” Sutton said.
Brian Krebs, the independent journalist who uncovered the hacker attack at Target last year, said Tuesday that there’s evidence that the latest stolen credit-card data is linked to Home Depot stores.
In Home Depot’s case, the suspected breach may have occurred in late April or early May and could encompass all 2,200 of the company’s stores in the U.S., Mr. Krebs said. That means it could be larger than the Target incident, he said.
Bloomberg News with a file from reporter Richard Blackwell