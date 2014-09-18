(Recasts, adds details about costs of breach and likelihood of
By Jim Finkle and Nandita Bose
BOSTON/CHICAGO, Sept 18 Home Depot Inc
Thursday said some 56 million payment cards were likely
compromised in a cyberattack at its stores, suggesting the
hacking attack at the home improvement chain was larger than
last year's unprecedented breach at Target Corp.
Home Depot, in providing the first clues to how much the
breach would cost, said that so far it has estimated costs of
$62 million. But it indicated that costs could reach much
higher.
It will take months to determine the full scope of the
fraud, which affected Home Depot stores in both the United
States and Canada and ran from April to September.
Retailer Target incurred costs of $148 million in its second
fiscal quarter related to its breach. Target hackers stole at
least 40 million payment card numbers and 70 million other
pieces of customer data.
Home Depot said that criminals used unique, custom-built
software that had not been seen in previous attacks and was
designed to evade detection in its most complete account of what
had happened since it first disclosed the breach on Sept. 8.
The company said that the hackers' method of entry has been
closed off, the malware eliminated from its network, and that it
had rolled out "enhanced encryption of payment data" to all U.S.
stores.
"We apologize to our customers for the inconvenience and
anxiety this has caused and want to reassure them that they will
not be liable for fraudulent charges," Chief Executive Frank
Blake said in a statement.
Of the estimated cost so far of $62 million, which covers
such items as credit monitoring, increased call center staffing,
and legal and professional services, Home Depot said it believes
that $27 million of the amount will be paid for by insurers.
But the company said it has not yet estimated the impact of
"probable losses" related to the possible need to reimburse
banks for fraud and card replacement, as well as covering costs
of lawsuits and government investigations.
"Those costs may have a material adverse effect on The Home
Depot's financial results in the fourth quarter and/or future
periods," the company said in its statement.
Wesley McGrew, an expert of retail breaches who is an
assistant research professor at the department of computer
science at Mississippi State University, said that Home Depot is
going to be expected to bear the costs related to fraud and
payment card replacement.
Banks typically seek to get retailers to cover those costs
if there are any indications of shortcomings in their security.
Criminals have frequently used software that evades
detection, but retailers are expected to closely monitor their
networks using tools that are designed to uncover signs of a
crime in progress, McGrew said.
"It's hard to feel sorry for them when there are things they
could have done to improve the security of these transactions,"
McGrew said.
Hitesh Sheth, chief executive of Vectra Networks, a
cybersecurity firm in San Jose, California, said Home Depot's
breach exposes a weakness, noting that the company said hackers
used unique, custom-built malware.
That "essentially means the technology they are using is
only designed to detect malware that has already been used in a
previous attack, and that is symptomatic of the retail
industry," Sheth said.
"Retailers need to upgrade to technology that is available
and detects behavior of malware that is new because these
attacks are not going to stop anytime soon."
For its fiscal year ending in February, Home Depot revised
its earnings estimate to $4.54 per share from $4.52. In addition
to the cost related to the breach, it said the estimate includes
a pre-tax gain of about $100 million on the sale of 3.6 million
common shares of HD Supply stock.
The company left its outlook for sales growth for the year
at 4.8 percent.
(Reporting by Jim Finkle in Boston and Nandita Bose in Chicago;
Additional reporting by Shailaja Sharma in Bangalore; Editing by
Leslie Adler and Jilian Mincer)