Day Four.
Home Depot, four days into a massive and highly complex cyber investigation led by the FBI and security giants like Symantec, chief executive Frank Blake took time out from his speech at Goldman Sachs in New York to address the issue. In the talk, Blake admitted the $122 billion company still didn't know what was going on, four months after the cyber breach occurred.
"We found out about a potential data breach on Tuesday morning, this past Tuesday morning. Since then our internal teams and third parties have been working around the clock to find the breach," Blake said.
"We were in a situation like this you have a choice. On the one hand you can wait to communicate anything until you have the facts at hand, or you can communicate the facts as you know them. We chose the latter path," he added, presumably to light applause.
Home Depot was notified by American and European banks on Tuesday that Home Depot-issued credit cards were showing up in bulk on sites used by Russian, Ukrainian, and other hackers like Rescator.cc to sell boosted customers data from retailers. The breach, which could affect millions of Home Depot customer data, occurred in May.
The mysterious attack is unusual and is the talk of the cyber security community. The Goldman Sachs conference in New York is the first time Blake has addressed the baffling cyber conundrum. Meanwhile, millions of customers at the $122 billion home retailer are scrambling to find out if their credit data was selling on the black market.
"We have advised our customers that we are investigating a potential breach," Blake continued, according to a transcript emailed to VentureBeat. "We have told them the things that we think are most important for them.
"[N]amely, number one, they are not liable for any credit card fraudulent transactions that relate to any potential breach. Second, that they ought to be monitoring their accounts for unusual activity; and third, that we've will provide them credit monitoring and identity theft protection for free in the event it turns out there was a breach."
Security experts believe the Home Depot breach is massive and closely resembles the colossal attack that hit retail giant Target last year, with 70 million credit cards lifted for $100 million in fraudulent charges. That attack began when Target's point of sale servers were infected with a potent malware by cyber criminals operating from Russia.
Indeed, Chris Weltzien, chief executive of security outfit 6Scan, said the attack was generating heavy talk and speculation among cyber researchers. There is also serious belief the Home Depot attacks may be in retaliation for U.S. and Western European sanctions on Russia for their military foray into Ukraine and that Russia is playing a role.
“The latest batch of stolen cards are being sold under the name ‘American Sanctions,’ and initial sanctions for the annexation of Crimea [were] put in place in April/May time frame,” Weltzien said earlier. “Home Depot does a huge business in their own credit cards."
If the breach is as big as researchers believe, it raises serious questions about Home Depot's security and the security of other retailers too: The company's vulnerability to cyber thugs was called out four months after it purportedly occurred -- and only learning of it through third parties Tuesday.
Blake finished his remarks by telling customers to not worry.
"And as I say we are working diligently now with our internal and third-party teams. Obviously for retail, for us, for our banking partners, cyber security is a major issue. We have invested into this. All of our terminals are EMV. PIN and chip hardware is on those terminals," he said.
"We are going to continue to investigate this potential breach intensely. We will communicate to our customers and obviously to all of you as we can dimensionalize the problem, if there is a problem."
We shall see.