Home Depot confirms data breach, which may have started in April

Home Depot Inc. confirmed that its payment data systems had been breached, saying that its investigation is stretching back as far as April.

The Atlanta home improvement chain said Monday the breach could affect customers who used credit or debit cards at its stores in the U.S. and Canada. So far, online shoppers and customers at its Mexico locations are not affected.

Frank Blake, Home Depot’s chief executive, said customers would not be responsible for fraudulent charges, and the company would provide access to free identity protection services.

“We apologize for the frustration and anxiety this causes our customers,” Blake said.

Home Depot said its investigation began Tuesday after law enforcement and its banking partners warned the company that cybercriminals may have hacked its payments systems. It has since worked with security personnel, banks and the Secret Service to learn more, and is still looking into “the full scope, scale and impact of the breach.”

Home Depot is among a growing group of retailers, including Target Corp. and Neiman Marcus, that have been hit by hackers.

Security journalist Brian Krebs first reported the Home Depot hack on his website Tuesday, saying the company may have been the target of a “massive” trove of debit and credit card information that went on sale in the “cyber-crime underworld.”

Krebs, who broke the story of the Target breach last year, said it appears the latest hack involves “nearly all” of Home Depot’s stores around the country.

“The Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks and resulted in the theft of roughly 40 million debit and credit card numbers,” he wrote. “If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target.”

Follow Shan Li on Twitter @ShanLi