Home Depot confirmed Tuesday that it is the latest victim of a massive payment data breach caused by malware similar to the kind that stole 40 million credit and debit card numbers from Target customers in late 2013. The company says the breach could have begun as far back as April and may affect purchases made in all 2,200 Home Depot stores in the U.S.
Home Depot did not speculate as to how many customers will be affected, but considering Target’s data breach occurred over only three weeks, and Home Depot’s breach could have taken place over four months, this could easily surpass Target in scale.
The company emphasized that PINs were not stolen. However, security website KrebsOnSecurity reports that Home Depot customers’ credit and debit card data is for sale online and includes the cardholder’s full name as well as the city, state, and zip code of the store where they made a purchase.
Using this information, thieves could create counterfeit copies of debit cards, reset a customer’s PIN number, and make fraudulent ATM withdrawals, KrebsOnSecurity says, adding that some banks have already reported this kind of suspicious activity and are linking it to Home Depot.
Since the malware affected in-store card readers, Home Depot announced plans to install more secure, chip-enabled checkout terminals in all U.S. stores before 2015. It is also offering free credit monitoring services to affected customers and says victims will not be responsible for any fraudulent charges that occur as a result of this leak.