The multichannel home improvement retailer says the breach impacted shoppers who used debit and credit cards at its U.S. and Canadian stores, but not those who bought from

The Home Depot Inc. has confirmed that its payment systems were breached, which could impact consumers who used payment cards at its U.S. and Canadian stores.

However, the multichannel home improvement retailer, No. 16 in the Internet Retailer 2014 Top 500 Guide, says there is no evidence that debit-card personal identification numbers have been compromised. The breach also does not appear to have impacted customers who bought from or customers who made a purchase at its bricks-and-mortar stores in Mexico, the retailer says.

“We apologize for the frustration and anxiety this causes our customers and I want to thank them for their patience and support as we work through this issue,” says Frank Blake, the retailer’s chairman and CEO. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred.”

In confirming the breach, the Home Depot joins the ranks of eBay Inc., Target Corp. and Neiman Marcus Group Ltd. as high-profile data breach victims. They’re each part of a growing trend, as the number of data breaches jumped 53.6% in 2013 from 2012. 54.0% of those breaches were targeted at e-commerce web sites, according to a recent report by security firm Trustwave.

Home Depot didn’t identify the breach on its own. Instead, it learned of the possible intrusion after receiving reports of suspicious activity from banks and law enforcement officials. Since then, the retailer’s information technology security team has been working with Symantec Corp. and FishNet Security Inc., along with the Secret Service, to investigate the breach.


The retailer is hardly alone in not identifying the breach on its own: 71% of breached companies don’t detect the breach themselves, according to a recent Trustwave report. And the median number of days between the initial intrusion and detection last year was 87 days.

The retailer says it’s offering consumers who have made a purchase at a Home Depot store free identity protection services, including credit monitoring.

Home Depot has not shared how many consumers might be impacted by the breach. But if the numbers are in line with Target’s breach, which affected upward of 110 million consumers, it could prove very costly. Target’s breach has cost the retailer $236 million in the first half of the year.

The incident, which appears to be similar to Target’s breach, shows that many retailers aren’t doing enough to defend consumer data, says Eric Chiu, president & co-founder of information technology security vendor HyTrust.

“This is history repeating itself and history should never repeat itself when it comes to security,” he says. “That’s a sign that retailers aren’t taking security seriously and aren’t doing enough to secure their data. If this doesn’t correct itself and they don’t begin to put security at their top of mind, they will lose business and heads will roll. That’s something that should scare every company.”


Chiu points to Target’s breach, which led to the departures of CEO Gregg Steinhafel and chief information officer and executive vice president for technology services Beth Jacob. Prior to its breach, Target was having a good fourth quarter. But ever since, its sales have yet to recover.

Data breaches are a major threat to all retailers, says Jerry Irvine, chief information officer at information technology outsourcer Prescient Solutions Inc. and a member of the National Cyber Security Partnership.

“The frequency of cyberattacks and the number of individuals whose personally identifiable information has been stolen is making everyone a bit nervous about electronic purchases,” he says. “It doesn’t matter whether someone uses his card at a physical retailer or purchases from an online retailer; all data is entered and stored into computer systems. As a result, all retailers and financial institutions can expect increased regulations and compliance requirements from government entities and industry organizations. Retailers should prepare to have to increase their IT security budgets in order to tighten down their security frameworks, policies and processes.”

To read more of about the online security threats retailers face, check out the September cover story “The war with no end” in the September issue of Internet Retailer magazine. Not a subscriber? Click here to sign up for a free subscription.