Home Depot may be the latest retailer facing stolen credit card and debit card information in what could be the biggest breach yet.
The potential theft was reported Tuesday by independent journalist Brian Krebs, who also broke recent news of such hacks at Target, P.F. Chang's and Neiman Marcus, among other retailers.
Krebs reported that the perpetrators might be the same group from Russia and Ukraine that stole customer information from Target last year, in what was the biggest retail hack in U.S. history. He said that the cards were being sold under the names "American Sanctions" and "European Sanctions," suggesting the theft is in response to U.S. and European sanctions against Russia for its actions in Ukraine. The data went on sale Sept. 2 on rescator.so, an underground store that also sold cards obtained from Target and P.F. Chang's, Krebs reported.
"At this point, I can confirm that we're looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," Paula Drake, a spokeswoman for Home Depot, said in an email to BuzzFeed. "Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately."
She added: "Right now, for security reasons, it would be inappropriate for us to speculate further. We will provide further information as soon as possible."
Krebs reported, stunningly, that there's a chance this theft is "many times" larger than Target's. Target's hack affected up to 40 million cards, led to the resignation of its CEO and cost almost $150 million in the second quarter alone.
Kevin Churik, an information technology manager from Pittsburgh, emailed BuzzFeed to say his Visa credit card was closed yesterday after two fraudulent charges were made at a Home Depot in Ypsilanti, Michigan. One was for $60 and the other was for $50. His bank, which he declined to name because the fraud investigation is ongoing, couldn't tell him how it happened, he said.
"Apparently, someone had my numbers and made a duplicate card with a duplicate magnetic stripe," he wrote, adding that he always used the now-closed card at Home Depot. "I live in Pennsylvania, so I was definitely wasn't shopping in Michigan."
Such thefts have become frighteningly commonplace in the past year.
Thieves use websites like rescator.so to buy and sell the unique data copied from a card's magnetic stripe. They then re-encode that data onto new plastic and use those cards to make purchases, typically for high-ticket items they can quickly flip for cash. Usually, the magnetic stripe information is obtained by malicious software planted onto cash registers at retail locations.
If you have more information about the hack, or your card was breached, please email email@example.com
Updates to add comment from consumer whose Visa was closed yesterday following two fraudulent charges at a Home Depot in another state.
Sapna Maheshwari is a business reporter for BuzzFeed News and is based in New York. Maheshwari reports on retail and e-commerce.
Contact Sapna Maheshwari at firstname.lastname@example.org.
Got a confidential tip? Submit it here.