Employee John Abou Nasr pushes shopping carts in the parking lot of a Home Depot in Methuen. (THE ASSOCIATED PRESS) |
Home Depot Inc. said a data breach between April and September put about 56 million payment cards at risk, signaling that the hacker attack was bigger than the one that struck Target Corp. last year.
The hackers used custom-made software to evade detection, relying on tools that haven't been seen in previous attacks, Atlanta-based Home Depot said Thursday in a statement. The company began investigating the breach on Sept. 2, immediately after banking partners and law enforcement raised alarms that its systems may have been infiltrated.
Home Depot, which first acknowledged the attack earlier this month, has become one of the biggest victims of hackers' war on retailers. The world's largest home-improvement chain expects to pay about $62 million this year to recover from the incursion, including additional costs for call-center staffing and legal expenses. Insurance will cover $27 million of that tab, the company said.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Chief Executive Officer Frank Blake said in the statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
So far, the hacker attack hasn't hurt Home Depot's growth prospects. Sales have been progressing as expected this quarter, the company said Thursday. For the year, the chain expects revenue to increase 4.8 percent.
The company also raised its annual profit forecast to $4.54 a share, up from a prediction of $4.52 last month. Included in this guidance is a pretax gain of $100 million from the sale of shares in HD Supply Holdings Inc., a Home Depot spinoff.
Home Depot shares also haven't suffered much from the breach revelation. Since the attack was first made public on Sept. 2, the shares have gained 1 percent. The stock was little changed Thursday in extended trading after the latest announcement.
The company reiterated Thursday that there's no evidence personal identification numbers for debit cards were compromised. That data is especially sensitive because it can be used to withdraw cash from an automated teller machine. The chain also affirmed that purchases made online and at stores in Mexico weren't affected.
The sales impact on Home Depot also may be muted because this breach was disclosed in September, after Home Depot's key selling season, according to Bloomberg Intelligence.
Target, in contrast, suffered a bigger blow from its attack. The breach, which affected 40 million payment cards, came during the height of last year's holiday-shopping season. As of Aug. 2, the discounter recorded $146 million in expenses related to the incursion.
After the attack became public in December, Target's reputation and foot traffic took a hit. The Minneapolis-based company's U.S. comparable-store sales decreased 2.5 percent in the fourth quarter.
For Home Depot, the attack coincides with a CEO transition. Craig Menear, the chain's president of U.S. retail, will succeed Blake as the company's leader on Nov. 1. Blake, who took over in 2007, will remain chairman of the board.
No comments:
Post a Comment