Home Depot Inc. confirmed Monday that its credit and debit card
systems were breached at its U.S. and Canadian stores in a security
breach that may have stretched back to April.
The acknowledgment is the result of an investigation began by
the home improvement company after it first learned about what it
called unusual activity last Tuesday. Since then, it has been
working with law enforcement and banks, as well as with computer
security firms Symantec Corp. and Fishnet Security, to
investigate.
The data breach at Home Depot--which may have begun during the
company's key spring selling season--is the latest in a series of
data security attacks on retailers, restaurants and other companies
including Target Corp., Neiman Marcus Group Ltd. and P.F. Chang's
China Bistro.
The software used in the attack appeared to be a reworked
version of the malware used against Target, a person familiar with
parts of the investigation said. That doesn't necessarily mean the
attack was the work of the same hackers. The card stealing code,
known as Black POS, has been widely sold on underground hacking
forums since being crafted by a Russian teenager in 2012,
cybercrime experts have said.
In this case it appears someone, sometimes coding in Russian,
made his or her own changes, the person said. This included
stylistic flourishes including links to a Wikipedia article on a
list of wars involving the U.S. and the website for a book titled,
"America's Deadliest Export: Democracy."
Home Depot has assured customers that they won't be responsible
for any fraudulent charges on their credit or debit cards and has
promised to offer free identity-protection services, including
credit monitoring, to any affected customers.
Write to Shelly Banjo at shelly.banjo@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires