H- Home Depot

posted Sep 4, 2014, 5:34 AM by WECB640   [ updated Oct 7, 2014, 9:08 AM ]

The home-improvement retailer said Wednesday September 3, 2014 that it still hasn't determined whether a breach actually occurred but told customers they won't be responsible for any possible fraudulent charges on their credit or debit cards if one did.

Home Depot said it has hired computer security firms Symantec Corp. SYMC +0.04%and Fishnet Security to help it investigate the possible breach.

The company advised customers to closely monitor their accounts and contact their card issuers if they notice any unusual activity. It also promised to offer free identity-protection services, including credit monitoring, to any affected customers if it ends up confirming a breach occurred.

"Our forensics and security teams have been working around the clock," spokeswoman Paula Drake said. "In the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges."

Related Video

Home Depot, Toll Brothers and Navistar International are among stocks to watch today. WSJ's Polya Lesova joins Simon Constable on the News Hub with the details. Photo: Getty

The home improvement retailer said it first learned of a potential breach on Tuesday and is working with law-enforcement agencies to investigate what it called unusual activity. The company wouldn't say more precisely what was being investigated or how many of its nearly 2,000 U.S. stores might have been affected.

"We know that this news may be concerning, and we apologize for the worry this can create," Home Depot said on a notice posted on its website Wednesday. "If we confirm a breach has occurred, we will make sure our customers are notified immediately."

The potential breach is the latest in a string of high-profile attacks on retailers and restaurants including Target Corp. TGT +0.33% , Neiman Marcus Group Ltd. and P.F. Chang's China Bistro. Home Depot is the fourth-largest U.S. retailer by revenue, afterWal-Mart Stores Inc., WMT +0.34% Costco Wholesale Corp. COST -0.17% and KrogerCo. KR +0.53%

Target's data breach ran through the start of the holiday shopping period last year and highlighted the industry's vulnerability to new hacking software capable of infiltrating point-of-sales systems. The attack compromised data from 40 million payment cards and personal information for up to 70 million customers.

The news that Home Depot was investigating a possible data breach was reported earlier by security blogger Brian Krebs. Batches of new stolen credit and debit cards popped up on a hacker website, and the breach may have extended across all of Home Depot's U.S. stores and could date back to late April or May, Mr. Krebs reported.

While most retailers' busiest shopping times occur during the December holidays, Home Depot's arrive during the spring, when customers are coming in to buy patio sets or garden plants. The fix-it chain has been enjoying record sales and reported a 5.8% increase in sales for the quarter ended Aug. 3, excluding newly opened or closed stores. Last month, the chain said company veteran Craig Menear would take over from Frank Blake as chief executive in November.

Data breaches can be rough on a retailer's business, denting consumer confidence and shopper traffic, while causing companies to incur costs for things such as identity-theft monitoring. Customer traffic and sales sank following the holiday data breach at Target, and the retailer's chief information officer and CEO left in its wake. Through early August, Target had booked $146 million in breach-related expenses even after insurance payments.

According to Stifel Nicolaus analyst David Schick, a similarly sized breach could dent Home Depot's earnings by seven cents a share in 2014, when the company has forecast $4.52 a share.

Home Depot said it first learned of a potential breach on Tuesday. Reuters

The high-profile data breaches have helped to accelerate bank issuance of credit and debit cards that are embedded with computer chips, which are safer than those with traditional magnetic strips because they create unique codes for each transaction.

Retailers also have been adopting new credit-card terminals at cash registers that take the new cards. Wal-Mart, which said it had installed the terminals about eight years ago, has activated them in more than 4,600 stores.

Home Depot also has been among the most aggressive U.S. retailers to install such terminals to reduce card fraud. It said it is now in the process of activating the chip-reading technology on its terminals, which also can conduct transactions for cards that have a magnetic strip.

Retailers have been slow to activate the machines because most Americans still don't carry chip-enabled cards, said Mark Horwedel, a former Wal-Mart payments executive and president of Merchant Advisory Group, a payments trade group made up of nearly 80 merchants including Home Depot, Wal-Mart and Target.

"Regardless of what a merchant does to enable the new systems, these breaches will continue as long as there are magnetic stripe cards still out there," Mr. Horwedel said. "It's virtually impossible for merchants to plug all the holes in our current payment system, and that's why you're seeing these breaches occur on a fairly regular basis."