NEW YORK (CNNMoney) — Home Depot on Monday confirmed that hackers indeed broke into its payment systems — maybe as far back as April.
Home Depot’s hack might be even bigger than Target’s was last year. In Target’s case, hackers slipped in for three weeks and grabbed 40 million debit and credit cards. Hackers remained in Home Depot’s computers — unnoticed — for about five months.
Hackers stole debit and credit card data from shoppers in the United States and Canada. The question now is how many millions of shoppers are affected.
Home Depot said it’s still investigating the breach, but said there’s still “no evidence” debit card PINs were exposed.
But noted Internet fraud expert Brian Krebs, who first reported the Home Depot breach a week ago, wrote early Tuesday that there’s a sharp increase in recent days in fraudulent withdrawals from bank accounts, and that information from debit cards used while shopping at Home Depot stores is allowing thieves to make the withdrawals.
“If the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs,” Krebs wrote. “Experts say the thieves are who perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cybercrime shops online.”
Home Depot spokeswoman Paula Drake would not comment on Krebs’ report of the hacked information being used to steal from bank accounts. She also wouldn’t comment on how many cards might have been hacked.
The company says it first became aware of the breach on Sept. 2, after receiving calls from banks and law enforcement. Home Depot said it’s working with the U.S. Secret Service to determine the scope of the hack.
So far, though, the company thinks only customers who shopped at brick-and-mortar stores in the U.S. and Canada were affected. Online customers — and those who shopped in its Mexico stores — were spared.
The home improvement chain is taking measures that are now typical of retailers victimized by cyberthieves. It’s offering free identity protection and credit monitoring to anyone who shopped there since April, and the store is replacing its card swiping terminals with machines that accept the more secure chip-enabled EMV cards.
Home Depot now joins the growing list of companies that have lost your data in the past year: Albertson’s, Target, Michaels, Neiman Marcus, P.F. Chang’s and SuperValu.
It’s gotten so bad, CNNMoney developed its own tool that tells you if your information has been compromised: What hackers know about you.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Home Depot CEO Frank Blake in a statement late Monday.
— Chris Isidore and Logan Whiteside contributed to this report.