More than two weeks after it was revealed that it was infected by malware that stole customers' transaction data, the retailing chain Home Depot Inc. admitted this week that up to 56 million payment cards in the United States and Canada could have been compromised – the largest such breach on record.
The company has not replied to Globe and Mail requests for a breakdown of how many of those cards are held by Canadian customers.
Saskatchewan lawyer Tony Merchant, who has filed a class-action claim against Home Depot, says his lawsuit is on behalf of as many as four million Canadian customers.
According to Brian Krebs, the cyber-security expert who first made the breach public, investigators believe that it potentially affected 1,700 stores in the United States and 112 in Canada.
Mr. Krebs reported that the investigation initially focused on customers who used the self-checkout kiosks of Home Depot's retail stores.
What customers should do
At this point, customers are only advised to review their card statements carefully and alert the financial institution that issued the card should there be suspicious transactions.
Home Deport said there is no sign that debit personal identification numbers were compromised or that customers who shopped online were affected.
Customers whose cards were compromised will not be responsible for fraudulent charges, Home Depot said, pledging that either the company or the issuing financial institution would cover those payments.
Home Depot has offered free identity theft protection and credit monitoring to any customer who used a payment card at a store since the breach began in April.
Mr. Merchant, however, said "what they are offering … is almost nothing and very little in value."
The identity theft insurance in the package offered to Canadians – from credit bureau Equifax – has an upper limit of $50,000. In the United States, the insurance in the package from AllClear covers up to $1-million.
Paula Drake, a Home Depot spokeswoman, said the $50,000 maximum is the "best available coverage offered by the [credit] bureaus in Canada." There are "regulatory and market differences" between the two countries that account for the contrast, Ms. Drake said.
A timing issue
Home Depot says it was not aware of the problem until nearly five months after the breach first started in April.
The problem was first made public on Sept. 2 by Mr. Krebs.
It was only on that morning, Home Depot said, that the company was alerted by banks and law enforcement that "there was some unusual activity connected to our payment systems."
According to Mr. Krebs, bank security experts who monitor the trade of stolen cards had noticed that an underground online reseller was promoting a sale of two new sets of stolen cards.
Six days later, Home Depot confirmed that the payment-data systems at its U.S. and Canadian stores had been breached. The company said Thursday, 10 days afterward, that it had eliminated the malware from its computer networks.
The delays are cited by litigators in the United States and Canada, who are moving to file class-action lawsuits on behalf of customers.
Already, on Sept. 4, a class-action complaint was filed in Georgia, where the company has its corporate headquarters.
"They weren't telling people until Brian Krebs broke the story at the beginning of September," Mr. Merchant told The Globe and Mail. "An awful lot of people have spent [money] at Home Depot in the last six months, and every one of them is at risk."
The American court claim also cites the delays.
"Home Depot failed to uncover and disclose the extent of the breach and notify its affected customers of the breach in a timely manner, preventing [customers] from protecting themselves," said the complaint filed in Northern Georgia U.S. District Court.
Who was behind the hack?
The stolen cards were being resold online under two batches, one labelled "European Sanctions" and the other "American Sanctions," in an apparent reference to trade sanctions levelled against Russia for its actions in Ukraine.
Both Mr. Krebs and the security firm Trend Micro suspect that Home Depot's troubles were caused by a variant of a Russian-developed malware known as BlackPOS, which is believed to be also behind the cyber-attacks against point-of-sales terminals of the American retailers Target and Neiman Marcus.
According to the California-based computer security company IntelCrawler, BlackPOS was created in the spring of 2013 by a young Russian hacker living in St. Petersburg, who used the nickname is Ree4.
However, Josh Grunzweig, principal security consultant for the Australian tech company Nuix, said the evidence was not conclusive.
"The number and degree of variances between these two samples are a clear indication that they were more than likely coded by different people," Mr. Grunzweig wrote on his company blog.
He concluded that "many details have not yet been made public, so at this point in time, your guess is as good as mine."