BOSTON/CHICAGO (Reuters) - Home Depot Inc Thursday said some 56
million payment cards were likely compromised in a cyberattack at
its stores, suggesting the hacking attack at the home improvement
chain was larger than last year's unprecedented breach at Target
Corp .
Home Depot, in providing the first clues to how much the breach
would cost, said that so far it has estimated costs of $62 million.
But it indicated that costs could reach much higher.
It will take months to determine the full scope of the fraud, which
affected Home Depot stores in both the United States and Canada and
ran from April to September.
Retailer Target incurred costs of $148 million in its second fiscal
quarter related to its breach. Target hackers stole at least 40
million payment card numbers and 70 million other pieces of customer
data.
Home Depot said that criminals used unique, custom-built software
that had not been seen in previous attacks and was designed to evade
detection in its most complete account of what had happened since it
first disclosed the breach on Sept. 8.
The company said that the hackers’ method of entry has been closed
off, the malware eliminated from its network, and that it had rolled
out "enhanced encryption of payment data" to all U.S. stores.
"We apologize to our customers for the inconvenience and anxiety
this has caused and want to reassure them that they will not be
liable for fraudulent charges," Chief Executive Frank Blake said in
a statement.
Of the estimated cost so far of $62 million, which covers such items
as credit monitoring, increased call center staffing, and legal and
professional services, Home Depot said it believes that $27 million
of the amount will be paid for by insurers.
But the company said it has not yet estimated the impact of
"probable losses" related to the possible need to reimburse banks
for fraud and card replacement, as well as covering costs of
lawsuits and government investigations.
"Those costs may have a material adverse effect on The Home Depot’s
financial results in the fourth quarter and/or future periods," the
company said in its statement.
Wesley McGrew, an expert of retail breaches who is an assistant
research professor at the department of computer science at
Mississippi State University, said that Home Depot is going to be
expected to bear the costs related to fraud and payment card
replacement.
[to top of second column] |
Banks typically seek to get retailers to cover those costs if there
are any indications of shortcomings in their security.
Criminals have frequently used software that evades detection, but
retailers are expected to closely monitor their networks using tools
that are designed to uncover signs of a crime in progress, McGrew
said.
"It’s hard to feel sorry for them when there are things they could
have done to improve the security of these transactions," McGrew
said.
Hitesh Sheth, chief executive of Vectra Networks, a cybersecurity
firm in San Jose, California, said Home Depot's breach exposes a
weakness, noting that the company said hackers used unique,
custom-built malware.
That "essentially means the technology they are using is only
designed to detect malware that has already been used in a previous
attack, and that is symptomatic of the retail industry,” Sheth said.
“Retailers need to upgrade to technology that is available and
detects behavior of malware that is new because these attacks are
not going to stop anytime soon.”
For its fiscal year ending in February, Home Depot revised its
earnings estimate to $4.54 per share from $4.52. In addition to the
cost related to the breach, it said the estimate includes a pre-tax
gain of about $100 million on the sale of 3.6 million common shares
of HD Supply stock.
The company left its outlook for sales growth for the year at 4.8
percent.
(Reporting by Jim Finkle in Boston and Nandita Bose in Chicago;
Additional reporting by Shailaja Sharma in Bangalore; Editing by
Leslie Adler and Jilian Mincer)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed.
|