September 19, 2014 - 5:00 AM
TORONTO - Home Depot said Thursday that 56 million payment cards used at its American and Canadian stores between April and September were compromised by a type of criminal software that hadn't previously been seen in other attacks.
The Atlanta-based home improvement retailer said any terminal with the malware has been taken out of service and that it completed introducing new encrypted terminals in all of its U.S. stores on Sept. 13, less than two weeks after the attack was discovered.
Home Depot says it will complete installing new encrypted terminals at its Canadian stores early next year but added they are already equipped to handle credit cards with embedded chips and personal identification numbers.
The company continues to say there is no evidence that debit card personal identification numbers have been compromised or that online shoppers were affected at homedepot.ca or homedepot.com.
Its Mexican stores were also apparently unaffected by the breach.
"We apologize for the frustration and inconvenience this breach may have caused," the company said in a new posting on its website.
"We also want to emphasize that you will not be liable for any fraudulent charges to your accounts, and we’re offering free identity protection services, including credit monitoring, to any customer who has shopped at a Home Depot store in 2014, from April on."
However, the Merchant Law Group — one of Canada's prominent class-action firms — filed a suit on Wednesday that will seek financial compensation for all Canadians affected by the Home Depot breach between April and Sept. 2.
"What Home Depot has offered is the most minimal kind of assistance. It's just not adequate," Tony Merchant said Thursday from the group's office in Calgary.
Merchant said that a Canadian class action against the Winners and Home Sense retail chains several years ago, after its parent TJX was the victim of a breach, obtained vouchers of between $30 and $60 as compensation and members of the class with significant out-of-pocket expenses were able to get repayment through the process.
And importantly for society, he added, the Winner-HomeSense class action negotiated changes to the way customer information was protected.
"And the same thing has to happen here," Merchant said.
The representative plaintiff is Martin Knuth, who says he used a swipe credit card several times at a Home Depot store in Regina, including on June 13, 2014. The suit was filed with a Saskatchewan's Court of Queen's Bench, in Regina.
Home Depot has a total of 2,264 stores in North America, including 287 in Canada and Mexico.
Security experts have said that chip-and-pin credit cards are less vulnerable to certain types of breach, particularly in stores, but hackers may used other techniques such as grabbing information off online transactions where the card number and password is entered by the consumer.
Home Depot also said its confirming its sales-growth estimates for the 2014 financial year and expects to earn $4.54 per share in fiscal 2014, up two cents from its prior guidance.
— With files from The Associated Press
News from © The Canadian Press, 2014