After nearly a week of investigation, Home Depot on Monday confirmed that intruders had indeed broken into its payment networks and accessed credit and debit card data belonging to an unspecified number of customers who shopped at its U.S. and Canadian stores.
The statement announcing the breach did not detail the number of stores affected or the total number of cards compromised. Instead, it merely noted that the company is looking into the possibility that the breach occurred in April.
Home Depot also said there is no evidence that debit Personal Identification Numbers (PIN) were compromised. Nor is there evidence the breach affected any Home Depot stores in Mexico or purchases made online at the company's website.
Since being told about the breach last Tuesday, Home Depot has been working around the clock to mitigate the situation, the company added.
"We apologize for the frustration and anxiety this causes our customers," Frank Blake, chairman and CEO of Home Depot, said in the statement. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasize that no customers will be responsible for fraudulent charges."
The statement is interesting because it makes no mention at all of the potential size and scope of the breach.
According to security blogger Brian Krebs, who first reported the intrusion, evidence from the cyber underground suggests that nearly every one of Home Depot's 2,200 stores in the U.S were impacted. The fact that the breach also remained undetected for more than three months suggests that it may end up being the biggest compromise of payment card data ever, Krebs noted.
In fact, the Home Depot breach could turn our to be several times larger than the one at Target last December in which more than 40 million payment cards were compromised.
The breaches have highlighted escalating concerns over a point of sale (PoS) system malware tool dubbed "Backoff" that has affected over 1,000 U.S, businesses, according to federal law enforcement authorities. Security firm Kaspersky Labs, which conducted its own research of the malware, believes the number could be much higher.
If other large breaches are any indication, the data compromise at Home Depot could cost the retailer hundreds of millions of dollars in remediation costs, fines and legal fees.
Since news of the breach went public, Home Depot's shares have fallen by about 3% from $93.11 last Tuesday to $90.82 on Monday. After the company confirmed the breach late Monday, its shares dropped by nearly another percent in after-hours trading.