The possibility was first flagged by Brian Krebs, who received word that two batches of credit and debit card information apparently stolen from the company is currently on sale on the infamous rescator(dot)com underground carder market.
One batch seemingly contains card data of European users, the other that of US customers.
"There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others," he noted.
"It is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States."
The alarm was first raised by several banks, who bought the card batches from the criminals and went through them to identify affected customers. They seem to believe that the breach may have initially happened in late April or early May 2014.
If so, the crooks could have in their hands a number of cards that will greatly surpass the number compromised in the Target breach, Krebs noted.
"We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate," The Home Deport noted in a statement published on their website. "If we confirm a breach has occurred, we will make sure our customers are notified immediately."
They also made sure to point out to the potentially affected customers that they will not be responsible for any possible fraudulent charges.
"Make sure you are closely monitoring your accounts and reach out to your card issuer should you notice any unusual activity," they advised. "If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers."
"The potential breach at Home Depot feels like deja vu in the wake of Target's massive breach last year. The reported extent and timeline dating back to April and May of this year would indicate a similar type of incident to Target where attackers were able to get onto the network to siphon off large amounts of data without being detected," commented Eric Chiu, president and co-founder at HyTrust.
"These breaches are no longer a security or IT issue, but rather a business issue given the potential of massive losses and brand damage. Consumers should be able to expect better security from us. Especially as organizations are hit with breaches similar to others in their same industry…and worse, one that follows a breach of their own systems."
Philip Lieberman, CEO of Lieberman Software, said that he was not surprised this has happened. "We were in contact with them many years ago trying to convince them to implement automation technology to rotate their passwords, but they chose to implement a less expensive and inferior solution from an off-shore company. The rest of the targets in the listed article by Krebs purchased the same ineffective technology from the same off-shore company with similar results.”
"Organized criminal syndicates are actively targeting US retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected," Ken Westin, security analyst at Tripwire, pointed out.
“There's little that consumers can do directly to protect themselves from these sort of compromises," concluded Patrick Thomas, security consultant at Neohapsis. "Certainly all consumers should keep a close eye on their credit card statements and credit report, but they can also vote with their dollars and reward companies that publicly demonstrate a commitment to security.”
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.