Home Depot confirms credit card breach going back months

September 8, 2014, 10:20 PM UTC

Home Depot has confirmed that hackers gained access to its data system earlier this year, potentially stealing the credit card information of millions of customers.

The home improvement retailer said on Monday that anyone who used a payment card at any of its U.S. and Canadian stores since April may be a victim.

The breach is the latest high-profile attack on national retailers over the past year including Target, Neiman Marcus, and Sally Beauty. Target’s sales declined in the months after the breach was uncovered last December, highlighting how stores can suffer financially after an attack as customers flee to competitors.

Home Depot (HD) learned about the potential of a breach last week after KrebsOnSecurity.com, a cyber security blog, reported that banks suspected that retailer may have been the source of a massive new batch of stolen credit and debit cards for sale online. In the days since, Home Depot has been investigating with the help of law enforcement.

“We want you to know that we have now confirmed that those systems have in fact been breached,” Home Depot told customers on its website on Monday afternoon without going into detail. The do-it-yourself retailer said it does not have an evidence the breach affected its Mexico stores or e-commerce operations.

KrebsOnSecurity has said that Home Depot’s breach could be larger than one that slammed Target at the height of last year’s holiday season. In that case, nearly 40 million credit or debit cards numbers were stolen over three weeks.

In a report on Monday, KrebsOnSecurity said that Home Depot’s hackers had used a new variant of malicious software that had been used against Target (TGT), quoting sources close to the investigation.

Last week, Home Depot CEO Frank Blake called cyber security “a major issue” and said that the retailer has invested in new and more secure credit-card terminals. They take cards with computer chips and create unique codes for each transaction, making them more difficult for hackers to infiltrate. Home Depot will activate the chip-reading technology on the terminals by the end of 2014, well ahead of a retail industry-wide deadline of October 2015, Blake said.

Home Depot has said that customers would not be on the hook for fraudulent charges and would get free credit monitoring if a breach did indeed occur, but urged them to keep an eye out for unusual activity in their accounts.