On Monday, Home Depot issued a public confirmation to reports that they had experienced a data breach impacting debit and credit cards.
They're the world's largest home improvement retailer, operating 2,266 stores in the U.S., as well as 10 Canadian provinces, so news that they were the next big business to be targeted by payment system malware caused immediate comparisons to the Target breach.
Here's a quick run down on the incident so far.
What are the certain facts about the breach?
Home Depot has stated that there is no evidence that debit card PINs were compromised. However, no evidence does not mean that it didn't happen, all they know for sure is that none of the forensic work points to PIN compromises.
At the same time, the company is saying that the breach impacts customer credit and debit card numbers used in-store between April 2014 and September 2, in the U.S. and Canada.
Shoppers in Mexico and on HomeDepot.com were not impacted by the breach.
If the cards currently being sold by criminals are in fact the cards stolen from Home Depot, then the breach exposed Track 1 and Track 2 data. This means that the customer's name, card number, and expiration date were compromised. Moreover, because all U.S. stores were being targeted, the criminals are able to split the card data into geographic lots, sorted by state and ZIP code.
What is Home Depot doing about this incident?
They've removed the malware from their POS network, but the investigation is ongoing.
In their statement, Home Depot said that they've contracted with two security firms and they're working with banking partners and law enforcement.
In addition, they're also offering identity protection to any customer who used a payment card at one of their stores from April 2014 until now. Anyone who wants to take advantage of the offer needs to call 1-800-HOMEDEPOT (800-466-3337), and speak to an agent.
Customers who used their credit cards have zero liability for fraudulent charges, and in some cased those who used debit cards have the same protection. Home Depot says that customers should watch their statements and report any questionable activity to their financial institution.
Finally, Home Depot said that roll out plans for EMV (Chip and Pin) to all U.S. stores is still moving forward, and that they plan to be completed with the project before the end of the year.
Is the Home Depot breach as bad as the Target breach?
That isn't clear yet.
While Home Depot confirmed that they were targeted by POS malware, they haven't commented on the total number of records exposed. However, based on the number of new credit cards being sold by criminals online, it is possible this incident could be on the same level as Target, if not bigger.
Sign up for CIO Asia eNewsletters.