Home Depot Shares Drop After Chain Investigates Data Breach

Home Depot, the largest home-improvement chain, fell the most in almost five months after saying it was working with banks and law enforcement to investigate a possible data breach.

“We’re looking into some unusual activity,” Paula Drake, a spokeswoman for the Atlanta-based company, said in an emailed statement. “We are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately.”

Brian Krebs, the independent journalist who uncovered a hacker attack at Target last year, reported that a “massive” batch of stolen credit- and debit-card information went on sale this morning. There’s evidence that the cards are linked to Home Depot stores, Krebs said on his website, KrebsOnSecurity.

Home Depot shares dropped 2 percent to $91.15 at the close in New York on Tuesday, the largest decline since April 7. The stock has climbed 11 percent this year.

“The criminals are getting smarter faster than the companies,” said Jaime Katz, an analyst for Morningstar in Chicago. “If it is something on the scale of Target, there is obviously significant concern.”

Hackers probably installed malicious software on Home Depot’s point-of-sale cash registers capable of stealing bank account information, names, card expiration dates and other data, said Trey Ford, global security strategist for Boston-based software security company Rapid7. The incident is probably another example of hackers relying on so-called Backoff malware, which the Secret Service estimates has been used to target more than 1,000 businesses over the past year.

“This is effectively a keystroke logger,” said Ford, who doesn’t have direct knowledge of the Home Depot attack. “It’s capturing all that stuff that comes in.”

Target, the Minneapolis-based discount chain, has shown how devastating a data breach can be to a retailer. Hackers struck the company last year during the height of the holiday shopping season, tarnishing its reputation and hampering sales. Target’s slow reaction to the incident also drew criticism from lawmakers, and the company ousted its chief executive officer in May. Brian Cornell, a former PepsiCo executive who took the helm at Target last month, is now working to pick up the pieces.

An investigation by Bloomberg Businessweek found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit-card numbers— along with 70 million addresses, phone numbers and other pieces of personal information.

In Home Depot’s case, the suspected breach may have occurred in late April or early May and could encompass all 2,200 of the company’s stores in the U.S., Krebs said. That means it could be larger than the Target incident, he said.

The attack also may have been performed by the same group of hackers that infiltrated Target, possibly as retribution for the U.S. and Europe placing sanctions on Russia, Krebs said. Stolen cards were marketed on a website by the hackers as being “European Sanctions” and “American Sanctions,” he said.

Citigroup, the third-biggest credit-card issuer in the U.S., said it’s stepping up prevention and detection efforts in the wake of the investigation.

“We are actively monitoring accounts, and if we see suspicious activity we will take appropriate actions, which may include reissuing cards for customers,” Janis Tarter, a spokeswoman for New York-based Citigroup, said in an emailed statement. “We want our customers to know that, consistent with legal requirements, they are not liable for any unauthorized use of their accounts.”

Trish Wexler at JPMorgan Chase, the biggest U.S. credit-card lender, had no immediate comment.

Other chains have suffered hacker attacks in recent months, including the supermarket company Supervalu and the Asian-themed eatery P.F. Chang’s China Bistro.

Apple also struggled with data-security woes this week, after nude photos of celebrities were stolen from iCloud accounts and posted online. Apple said Tuesday that the photos were stolen individually via targeted attacks and it didn’t suffer a data breach.

The hackers who targeted Home Depot probably took their time to retrieve the data without detection, Ford said.

“They are efficient, they are focused, and they manage their risk and exposure the same way a business person would,” he said. “It’s kind of a slow game of cat and mouse.”

More in Herald Business Journal

Tulalips break ground on new Quil Ceda Creek Casino Hotel

A 150-room hotel was added to what is now a $140 million complex expected to open in spring 2019.

For modern women, 98-year-old rejection letters still sting

In a stark new video, female Boeing engineers break the silence about past inopportunity.

Angel of the Winds pays $3.4M for Everett arena naming rights

The casino replaces Xfinity as the lead sponsor for the publicly owned downtown Everett events center.

Teddy, an English bulldog, models Zentek Clothing’s heat regulating dog jacket. (Ian Terry / The Herald)
Everett clothing company keeps your dog cool and stylish

Zentek uses space-age fabrics to moderate the temperature of pets and now humans.

Providence Hospital in Everett at sunset Monday night. Officials Providence St. Joseph Health Ascension Health reportedly are discussing a merger that would create a chain of hospitals, including Providence Regional Medical Center Everett, plus clinics and medical care centers in 26 states spanning both coasts. (Kevin Clark / The Daily Herald)
Merger would make Providence part of health care behemoth

Providence St. Joseph Health and Ascension Health are said to be talking. Swedish would also be affected.

Bombardier promotes its C Series airliner as American made

It says more than half its all-new jet is made in US factories with final assembly near Montreal.

Everett engineers learn lessons from Mexico City catastrophe

Structural scientists went to help after the September earthquake there and studied the damage.

Airports want to nearly double passengers’ user fees

Delta says airports will rake in $3.6 billion in passenger facility charge taxes this year.

UPS delays mount as online shopping hobbles courier’s network

FedEx completed 97.1 percent of its ground deliveries on time in the same period.

Most Read