Home Depot confirms suspected customer data breach

Anyone who shopped at a Home Depot store with a payment card since April may be exposed to the hack, the home improvement retailer says.

Home Depot

Home Depot revealed Monday that a security breach of customer payment data did occur at its stores, confirming suspicions raised last week that millions of its customers could be at risk of fraud.

Following an announcement last Tuesday it was investigating " unusual activity" related to customer payment cards, the Atlanta-based home improvement retailer said any customer who used a credit or debit card in its US stores since April could be affected by the breach.

"We want you to know that we have now confirmed that those systems have in fact been breached, which could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward," the company said in a statement posted to its website. "We do not have any evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com."

The statement went on to say it apologized for the "frustration and anxiety" the security lapse has caused and said customers would not be responsible for fraudulent charges made on their accounts.

Home Depot did not indicate what kind of data was exposed or how many customers were affected but did say there was no evidence that debit card personal identification codes had been compromised. CNET has contacted Home Depot for comment and will update this report when we learn more. The New York Times reported that a source briefed on the investigation said the total number of payment cards exposed could exceed 60 million.

The possibility of a breach was raised by security reporter Brian Krebs, who reported that "multiple banks" had seen evidence that Home Depot may be the source of a large cache of stolen customer credit and debit cards put up for sale on black markets. Krebs wrote that he suspected the breach may have begun in late April and extend to all 2,200 Home Depot stores in the US.

In an update late Sunday, Krebs wrote that he suspected that the same malware that hacked the accounts of Target customers late last year may have compromised credit card information at Home Depot. One of Krebs' sources said that at least some of Home Depot's store registers were infected by a new variant of a malware strain known as "BlackPOS," the same type of malware found on point-of-sale systems at Target in last year's attack.

The hack of retail giant Target, in which hackers obtained credit card data of 40 million customers and the personal information for an additional 70 million customers who shopped in its stores late last year, came at the beginning of an apparent uptick in security breaches at retail locations.

Over the past few months, arts and crafts retail chain Michaels Stores, department store Neiman Marcus, and restaurant chain P.F. Chang's revealed they were victims of security breaches aimed at stealing customers' credit card information.

Featured Video