Home Depot is offering free credit monitoring and identity protection services to customers who may have been affected by a possible credit card breach.
Suspicions of a credit card breach first emerged this week after cybersecurity journalist Brian Krebs reported that fraudulent credit cards possibly linked to Home Depot sales started showing up for sale on black market website rescator.cc.
The company confirmed it was looking into a possible breach on Tuesday, before adding more detail on Wednesday, in a statement carefully constructed to confirm the chain is investigating the matter — but still leaving the door open to the possibility that their network has not, in fact, been compromised.
Home Depot's "forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning," the chain told CBC News.
'Cybercriminals are waking up to the reality that the defences aren't up to snuff to stop them' - Trend Micro's Mark Nunnikhoven
"It’s important to note that in the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges," Home Depot said.
"The financial institution that issued the card or Home Depot are responsible for those charges," adding that it would offer free identity protection services, including credit monitoring, to any potentially impacted customers.
Home Depot also urges all of its customers to monitor their accounts and let their banks know if they notice any unusual activity.
Impact in Canada not known
It's still unclear, however, if any of the chain's Canadian customers might be affected. Home Depot has at least 180 locations in Canada.
If a breach is confirmed, it would make Home Depot the latest retailer ensnared in an expensive security breach, following the footsteps of companies such as Target, which earlier this year had account information from as many as 70 million customers stolen.
In Target's breach, the chain's Canadian stores themselves weren't affected. But some Canadian customers who crossed the border into the U.S. and shopped there during the busy holiday shopping season were impacted.
If there was a breach, early evidence suggests it was a large one, says Mark Nunnikhoven with software security firm Trend Micro. "Target had a definitive window of about three weeks when the hackers were active, and it resulted in 40 million cards. This one seems to be from early May until we don't know when," he says.
"It's going to be the same size if not larger."
Retailers face an uphill and constant battle from here on out, he says, because while hackers just need to find one hole to exploit, the cybersecurity defenders have to be looking for all possible holes, Nunnikhoven says.
Indeed, he says consumers should get used to a new reality where attacks like this are common, and take precautions.
"Cybercriminals are waking up to the reality that the defences aren't up to snuff to stop them," he said. "Once they've done an attack, there's almost no incremental cost to try it again ... it's just as easy to attack 10 or 100 retailers or banks as one."
The good news, however, is that most Canadians are already armed with a powerful weapon against such attacks: chip and pin technology on credit cards. The technology is commonplace in Canada and the EU, but not widely used in the U.S. yet — where most such attacks seem to be happening.
Retailers need to be vigilant, but with chip and pin technology and policies in place from the card firms to cover losses, consumers aren't in a desperate situation.
"From a retailer's perspective ... the fact that a hacker can sit on the network for three weeks or multiple months is unacceptable," Nunnikhoven said. "It's one thing to be attacked successfully but it's another that the hacker essentially sets up shop in your house."