As consumers across the country waited Wednesday for Home Depot to come forward with details about a reported massive hacker breach of its networks, experts said it appears damage from the attack could well exceed the 40 million cards and 70 million people exposed by last year’s Target attack.
"The Home Depot breach is virtually identical. All the major characteristics are virtually identical to the Target breach," said John Moynihan, principal with Minuteman Governance, which trains corporate employees on keeping networks secure. "The cards that are being sold now, stolen Home Depot cards, are on the exact same underground website that sold the Target cards. This is a group from eastern Ukraine, Russia -- it's likely the same group."
But Moynihan said the Home Depot breach is likely to involve far more cards and people than the Target attack did. "I think it's going to be dramatically larger because of the time period. They were in the systems from April or May till yesterday at the Home Depot."
"We are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further -- but we will provide further information as soon as possible," Home Depot said.
One indication Wall Street thinks Home Depot has a serious problem: Its stock has lost $5 billion in value since Tuesday afternoon, when the breach was first reported. After dropping 2 percent Tuesday, shares of Home Depot fell another 2.4 percent Wednesday.
The Home Depot breach is likely to focus new attention on efforts underway at Target and WalMart and some other U.S. chains to adopt European-style charge cards with computer chips inside that encrypt the transfer of data at the register. That would thwart a crude kind of data breach – typically perpetrated by employees – where devices are attached to point-of-sale terminals to skim off credit card data to create cloned cards and offer far greater security than today’s magnetic-stripe cards most widely used in the U.S.
But Ralph Dangelmaier, CEO of BlueSnap, a Waltham, Mass., company that provides systems securing online charge-card transactions for retailers and offers an alternative to Visa and PayPal, said even had such a system been in place, it wouldn’t have prevented the apparent Home Depot breach.
"It won’t solve this problem, and the problem we have right now is protecting the database, protecting the networks. That's the problem that we're trying to defend with Home Depot and with Target," Dangelmaier said. For consumers, Home Depot’s practice of storing credit-card data on its network after purchases were complete has the upside of speeding up the processing of refunds – but the downside that those data are available to a hacker who can break into the network, Dangelmaier said.
His bottom line for consumers – and Moynihan’s, too – is: Don’t wait to take action if you used a credit or debit card at Home Depot anytime this spring or summer.
"You need to cancel your credit card and get it reissued. That's the safest possible thing you can do to protect yourself. Cancel your Home Depot credit card. I'm sorry for the Home Depot cards -- but I think that's something you should do," Dangelmaier said.
"Return that card. Cancel that card," Moynihan agreed. "Disable it. Because it’s going to be sold on these underground hacking forums."
With videographer Scott Wholley