The Top 500 retail chain says it is investigating ‘unusual activity.’

The Home Depot Inc., No. 16 in the Internet Retailer Top 500 Guide, today said it was investigating whether criminals stole consumer and payment information from the retailer. While the chain will not provide specifics about the potential breach, it resembles the one suffered last year by Target Corp. and stands as a reminder for online retailers to beef up their security, according to one expert.

The Home Depot breach reportedly involves credit and debit cards. A spokeswoman for the chain says only that the retailer is “looking into some unusual activity and we are working with our banking partners and law enforcement to investigate.  Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers.  If we confirm that a breach has occurred, we will make sure customers are notified immediately.”

Initial suspicion tilts to thieves breaking into store point-of-sale systems, says Andreas Baumhof, chief technology officer at ThreatMetrix, which sells fraud prevention services to online retailers. He points to a Aug. 22 advisory from the U.S. Secret Service—which also investigates financial malfeasance as well as protecting the president—that warned retailers of malware called “Backoff” that enables criminals to exploit “businesses’ administrators accounts remotely and [steal] consumer payment data.” The advisory states that the Secret Service knows of seven point-of-sale providers that have had “multiple clients affected” by the malware, with some 1,000 U.S. businesses affected.

Target, No. 18 in the Top 500, has said its fourth quarter 2013 data breach exposed the credit or debit card details of 40 million customers and other personal information of 70 million shoppers. So far, the breach has helped to push out a Target CEO and cost the chain and its insurers at least $236 million. After insurance, the net cost of the breach stands at $146 million at last count.

“I feel that the targeted organizations have very little forensics information to get to the bottom of this,” Baumhof says. “Hopefully the [criminals] made a mistake so we can shed some light on this.”


So what should retailers do while awaiting details of the potential Home Depot breach? According to Baumhof, precautions include:

• Secure store point-of-sale networks. “Make sure you isolate these networks quickly. Make sure you get much more visibility into how cards are used.”

• Beef up all online security. “Screen any credit card transactions in more detail,” he says. “Verify account logins in more detail. Invest into solutions that provide you more visibility into the data.”

Much more information about the state of data and payment security in e-commerce can be found in the new September issue of Internet Retailer magazine and its cover story, which you can read for free