(Adds Home Depot statement, paragraphs 4-5)
By Nandita Bose
CHICAGO, Sept 3 Customer data could have been
stolen from nearly all of Home Depot Inc's stores in the
United States, according to new information released on
Wednesday by security website KrebsonSecurity.
Brian Krebs, who runs the website, had said on Tuesday
that the problem could affect all of Home Depot's 2,200 stores
in the United States. On Wednesday, he said he found new
evidence that the breach first surfaced on the website Rescator,
where customer credit cards were listed according to store ZIP
code. These codes showed a 99.4 percent overlap with Home Depot
stores, he said.
In all, there were 1,939 codes corresponding to Home Depot
store locations, Krebs' website said. It is not yet clear how
many customers were impacted.
Home Depot has not confirmed that a breach occurred. Company
spokeswoman Paula Drake said the retailer is working with
leading IT security firms, including Symantec Corp and
FishNet Security, to investigate whether there has been a data
"Our forensics and security teams have been working around
the clock since we first became aware of a potential breach
Tuesday morning," she said.
The retailer sought to reassure customers on Wednesday that
they will not be held responsible for any possible fraudulent
charges. It also asked them to closely monitor their accounts
and said it will offer free identity-protection services,
including credit monitoring, to any customers who may have been
Home Depot could be the latest in a string of retailers to
have been hit by security breaches in the recent past. If
confirmed, the Home Depot breach could be among the worst.
U.S. retailers have been slow to adopt chip-reading
technology on their terminals as most Americans do not carry
In one of the most serious incidents, hackers last year
stole at least 40 million payment card numbers and 70 million
other pieces of customer data from Target Corp.
The largest-known breach at a U.S. retailer, however, was
uncovered in 2007, at TJX Cos Inc, operator of the T.J.
Maxx and Marshalls chains, where more than 90 million credit
cards were stolen over about 18 months.
In some situations, companies that conduct investigations
into data breaches may not be able to come to a definitive
conclusion. For instance, Sears Holdings Corp said in
February that an investigation into a possible data breach did
not reveal conclusive information.
Home Depot shares fell 2.4 percent to close at $89.00 on the
New York Stock Exchange on Wednesday.
(Additional reporting by Mark Hosenball in Washington; editing
by Matthew Lewis)