Home improvement retailer Home Depot Inc. confirmed Monday that its payment systems have suffered a security breach, and Canadian clients are among those affected.
The chain said the breach "could potentially impact customers using payment cards" in U.S. and Canadian stores, but there is no evidence the breach hit online customers or stores in Mexico.
Home Depot, which has been tight-lipped since it revealed last week it was investigating unusual activity that suggested a potential breach, said Monday that it still doesn't know the "full scope, scale and impact of the breach." It said there is no evidence that PIN numbers associated with the debit cards have been compromised. Its investigation is focusing on transactions from April onward.
Home Depot has 2,266 stores, and 180 of those are in Canada. A Home Depot spokeswoman said the company cannot say how many Canadian customers may have been affected because it does not yet know "many details or the scale of the incident."
But the company said it has taken "aggressive" steps to address the "malware" and protect its customers' data. It is also offering free identity protection, and credit monitoring to any customer who has used a payment card at a Home Depot store since April of this year.
Home Depot chief executive officer Frank Blake said in a statement that "we owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It is important to emphasize that no customer will be responsible for fraudulent charges to their accounts."
The company said its internal technology security team has been working around the clock with outside security organizations, its banking partners, and the United States Secret Service to "gather facts and provide information to customers."
The possible breach was first reported last Tuesday by the security news website Krebs on Security, run by computer security expert Brian Krebs. He said several banks had reported seeing evidence that Home Depot outlets "may be the source of a massive new batch of stolen credit and debit cards."
In a posting, Mr. Krebs said analysis of card data posted on a "cybercrime store" website suggests that a spate of stolen credit card information recently put up for sale came from Home Depot.
Mr. Krebs said banks believe the breach may have begun in April or May. If that is the case "this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period."
Just before Christmas last year, Target said that credit and debit card information on millions of customers had been stolen. The breach, and the work to rectify it, cut into the company's fourth-quarter profit. Some of Target's Canadian customers were affected by that breach.
Mr. Krebs said in a posting on Monday that sources had told him the Home Depot breach was helped by a new variant of the "BlackPOS" malware that stole account data from Target.