By Nandita Bose and Nathan Layne
(Reuters) – Home Depot Inc said on Tuesday it was working with law enforcement to investigate “some unusual activity” related to customer data but that it could not confirm if it had become the latest retailer to be hit by a large-scale security breach.
Shares of the home improvement chain closed 2 percent lower at $91.15 on the news, which highlights growing scrutiny of data security in the retail industry following a massive breach at Target Corp last year.
“At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Home Depot representative Paula Drake wrote in an emailed statement to Reuters.
“If we confirm that a breach has occurred, we will make sure customers are notified immediately.”
The statement came after security website KrebsonSecurity first reported that multiple banks had seen evidence that Home Depot may be the source of stolen credit and debit cards put up for sale on underground markets. Brian Krebs, who runs the website, could not be immediately reached for comment.
Krebs wrote on his website that his preliminary analysis indicated the problem could affect all of Home Depot’s 2,200 stores in the United States. He said several banks he contacted believed the breach could extend back to April or May of this year.
“If that is accurate – and if even a majority of Home Depot stores were compromised – this breach could be many times larger than Target,” Krebs wrote.
In the Target breach, which hit the retailer during the important year-end holiday shopping season, hackers stole at least 40 million payment card numbers and 70 million other pieces of customer data.
The incident cost the company hundreds of millions of dollars and prompted numerous investigations by attorneys general and congressional hearings and inquiries. In May, the company ousted its CEO, Gregg Steinhafel, who has now been replaced by former Walmart Stores Inc executive Brian Cornell.
Numerous companies have come under the spotlight for potential breaches in recent months.
In some situations, companies that conduct investigations into data breaches may not be able to come to a definitive conclusion. For instance, Sears Holdings Corp said in February that an investigation into a possible data breach did not reveal conclusive information.
Retailers have been taking steps to better protect customer data.
Walmart Stores Inc said last week that 4,600 of its group stores were now using payment terminals capable of reading credit and debit cards that store information on computer chips. Such cards are more secure than conventional ones that store data on magnetic stripes. The bulk of those stores activated the terminals this year, spokesman Randy Hargrove said. The retailer plans to activate terminals in its remaining U.S. stores by the end of 2014.
(Reporting by Nandita Bose and Nathan Layne in Chicago; additional reporting by Alina Selyukh in Washington; editing by Matthew Lewis)