(AP) Home Depot may be the latest retailer to suffer a major credit card data breach.
The Atlanta-based home improvement retailer told The Associated Press Tuesday that it is working with both banks and law enforcement to investigate "unusual activity" that would point to a hack.
"Protecting our customers' information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers," said Paula Drake, a spokeswoman at Home Depot, declining to elaborate. She said the retailer would notify customers immediately if it confirms a breach.
Shares of Home Depot Inc. fell $1.88, or 2 percent, to close at $91.15.
Hackers have broken security walls for many retailers in recent months, including Target, grocery store chain Supervalu, P.F. Chang's and the thrift store operations of Goodwill. The rash of breaches has rattled shoppers' confidence in the security of their personal data and pushed retailers, banks and card companies to increase security by speeding the adoption of microchips into U.S. credit and debit cards.
Supports say chip cards are safer, because unlike magnetic strip cards that transfer a credit card number when they are swiped at a point-of-sale terminal, chip cards use a one-time code that moves between the chip and the retailer's register. The result is a transfer of data that is useless to anyone except the parties involved. Chip cards are also nearly impossible to copy, experts say.
The possible data breach at Home Depot was first reported by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity. Krebs said multiple banks reported "evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards" that went on sale on the black market earlier Tuesday.
Krebs reported that it's not clear how many stores were affected but preliminary analysis indicates the breach may have affected all 2,200 Home Depot stores in the U.S. Several banks that were contacted said they believe the breach may have started in late April or early May.
"If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period," said the Krebs post.
Krebs said that the party responsible for the breach may be the same group of Russian and Ukrainian hackers suspected in the Target breach late last year. Krebs also broke the news of Target's breach.
Target Corp., based in Minneapolis, is still trying to get beyond its massive breach that occurred late last year and hurt sales, profits and its reputation with customers. It has been overhauling its security department and systems and is accelerating its $100 million plan to roll out chip-based credit card technology in all of its nearly 1,800 stores.
New payment terminals will appear in stores by this month, six months ahead of schedule. In April, the retailer announced it teamed up with MasterCard to issue branded Target payment cards equipped with chip technology by early in 2015.
Tips to protect yourself:
Below are nine tips gleaned from three security experts interviewed by CBS MoneyWatch on how to protect yourself amid the growing security threat.
1. Check your credit card and debit card statements on a line-by-line basis. “There is absolutely no substitute for being vigilant,” Samid said. Thieves may place a small charge — just a dollar or two — to check if the card is active. Because of this, report any questionable charge, no matter how small.
2. If you notice an unauthorized charge, ask your financial provider to cancel the card and issue you a new one. “This is most advisable with a debit card,” Kroll’s Lapidus noted.
3. Consider tools for monitoring both your credit profile and your card activity. Target is offering a credit-monitoring service for customers, which Lapidus believes affected individuals should enroll in. Consumers may also want to use a bill-monitoring service such as BillGuard, which uses crowdsourcing to flag suspicious charges. The service has caught $60 million in fraudulent charges during the past two years, Samid said.
4. Be suspicious of correspondence claiming to be from your bank or the retailer you shopped at. Because Target’s security breach also included theft of personal data, it’s more likely the thieves will use “phishing” to convince you to part with even more sensitive information, such as passwords.
5. Phishing isn’t only done via the phone and email. Scams also abound on Twitter and Facebook. For instance, already a “phishing” tweet purporting to offer a link to check if you were a victim of the breach has surfaced, Samid notes. Once you click on it, it asks you to re-enter your Twitter password. This could end up as a major financial problem if you use the same password for your bank accounts.
6. Double check the URL of the bank or retailer in any correspondence you receive. If it doesn’t look right, don’t click on it. Better yet, enter your bank’s URL in a separate browser window, to ensure you are reaching your bank and not a scam site.
7. Change your passwords. An astounding number of people use simple passwords like “password” or “1234” for their accounts, notes Neil Chase of Lifelock, which offers identity-theft protection services. Some consumers may want to use a password generator, although for most people changing their passwords to include capital letters, symbols or numbers may be enough.
8. Shred documents. While the focus in Target’s security breach has been on electronic theft of data, criminals still steal physical documents, Chase notes. Remember to keep all your data secure, not just your online information.
9. Be aware if you start receiving strange pieces of mail, Kroll’s Lapidus said. While it might mean nothing, it could also “be a sign that data has been compromised.”