Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
Just$1.99
per week
for first 24 weeks

Enjoy unlimited digital access
Cancel Anytime
Enjoy Unlimited Digital Access
Get full access to globeandmail.com
Just $1.99per week for the first 24weeks
Just $1.99per week for the first 24weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(select.open)}function setPanelState(o){dom.root.classList[o?"add":"remove"](select.open),dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

Home Depot Inc. admitted this week that up to 56 million payment cards in the United States and Canada could have been compromised

Justin Sullivan/Getty Images

More than two weeks after it was revealed that it was infected by malware that stole customers' transaction data, the retailing chain Home Depot Inc. admitted this week that up to 56 million payment cards in the United States and Canada could have been compromised – the largest such breach on record.

The company has not replied to Globe and Mail requests for a breakdown of how many of those cards are held by Canadian customers.

Saskatchewan lawyer Tony Merchant, who has filed a class-action claim against Home Depot, says his lawsuit is on behalf of as many as four million Canadian customers.

Story continues below advertisement

According to Brian Krebs, the cyber-security expert who first made the breach public, investigators believe that it potentially affected 1,700 stores in the United States and 112 in Canada.

Mr. Krebs reported that the investigation initially focused on customers who used the self-checkout kiosks of Home Depot's retail stores.

What customers should do

At this point, customers are only advised to review their card statements carefully and alert the financial institution that issued the card should there be suspicious transactions.

Home Deport said there is no sign that debit personal identification numbers were compromised or that customers who shopped online were affected.

Customers whose cards were compromised will not be responsible for fraudulent charges, Home Depot said, pledging that either the company or the issuing financial institution would cover those payments.

Home Depot has offered free identity theft protection and credit monitoring to any customer who used a payment card at a store since the breach began in April.

Story continues below advertisement

Mr. Merchant, however, said "what they are offering … is almost nothing and very little in value."

The identity theft insurance in the package offered to Canadians – from credit bureau Equifax – has an upper limit of $50,000. In the United States, the insurance in the package from AllClear covers up to $1-million.

Paula Drake, a Home Depot spokeswoman, said the $50,000 maximum is the "best available coverage offered by the [credit] bureaus in Canada." There are "regulatory and market differences" between the two countries that account for the contrast, Ms. Drake said.

A timing issue

Home Depot says it was not aware of the problem until nearly five months after the breach first started in April.

The problem was first made public on Sept. 2 by Mr. Krebs.

Story continues below advertisement

It was only on that morning, Home Depot said, that the company was alerted by banks and law enforcement that "there was some unusual activity connected to our payment systems."

According to Mr. Krebs, bank security experts who monitor the trade of stolen cards had noticed that an underground online reseller was promoting a sale of two new sets of stolen cards.

Six days later, Home Depot confirmed that the payment-data systems at its U.S. and Canadian stores had been breached. The company said Thursday, 10 days afterward, that it had eliminated the malware from its computer networks.

Class-action litigation

The delays are cited by litigators in the United States and Canada, who are moving to file class-action lawsuits on behalf of customers.

Already, on Sept. 4, a class-action complaint was filed in Georgia, where the company has its corporate headquarters.

Story continues below advertisement

In Canada, Mr. Merchant is also launching a national class-action litigation.

"They weren't telling people until Brian Krebs broke the story at the beginning of September," Mr. Merchant told The Globe and Mail. "An awful lot of people have spent [money] at Home Depot in the last six months, and every one of them is at risk."

The American court claim also cites the delays.

"Home Depot failed to uncover and disclose the extent of the breach and notify its affected customers of the breach in a timely manner, preventing [customers] from protecting themselves," said the complaint filed in Northern Georgia U.S. District Court.

Who was behind the hack?

The stolen cards were being resold online under two batches, one labelled "European Sanctions" and the other "American Sanctions," in an apparent reference to trade sanctions levelled against Russia for its actions in Ukraine.

Story continues below advertisement

Both Mr. Krebs and the security firm Trend Micro suspect that Home Depot's troubles were caused by a variant of a Russian-developed malware known as BlackPOS, which is believed to be also behind the cyber-attacks against point-of-sales terminals of the American retailers Target and Neiman Marcus.

According to the California-based computer security company IntelCrawler, BlackPOS was created in the spring of 2013 by a young Russian hacker living in St. Petersburg, who used the nickname is Ree4.

However, Josh Grunzweig, principal security consultant for the Australian tech company Nuix, said the evidence was not conclusive.

"The number and degree of variances between these two samples are a clear indication that they were more than likely coded by different people," Mr. Grunzweig wrote on his company blog.

He concluded that "many details have not yet been made public, so at this point in time, your guess is as good as mine."

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow the authors of this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies