Home Depot's investigation of a suspected hacker attack means banks are once again considering whether they should replace their customers' debit and credit cards and has renewed pressure on retailers and credit-card providers to strengthen their payment-system security.
The home-improvement chain said Tuesday that it is working with banks and law enforcement on the possible hack, after a report by KrebsOnSecurity that a "massive" batch of stolen credit- and debit-card information was posted for sale online.
Home Depot said Wednesday that it had enlisted Symantec Corp. and FishNet Security Inc. to help investigate the suspected data breach.
"Our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning," Paula Drake, a spokesman for the Atlanta-based retailer, said in an email.
Officials at Arkansas-based banks said they are waiting for more information from Home Depot.
Arvest Bank is evaluating the situation to assess the risk posed to its customers, marketing director Jason Kincy said.
"If we do determine it is necessary to reissue cards, we'll be in contact with customers that need to receive a new card," Kincy said. But, he said, it's too early to say how the bank will respond.
Brian Davis, chief accounting officer for Home BancShares, the holding company for Centennial Bank, said the Conway-based bank also is gathering information.
"We have not made the decision whether we're going to have to do a reissue," Davis said. "We just don't have enough data from Home Depot."
Bank of the Ozarks spokesman Susan Blair said customers of the Little Rock-based bank had not requested new cards based on information about Home Depot.
Kincy said Arvest replaced "several thousand cards" after Target Corp.'s payment system was breached by hackers last year before Christmas.
Kincy said customers should monitor accounts either online or by examining monthly statements to watch for unauthorized charges and to notify the bank immediately if they find suspicious transactions.
Citigroup, the third-biggest credit-card issuer in the United States, said it's escalating prevention and detection efforts as a result of the investigation.
"We are actively monitoring accounts, and if we see suspicious activity we will take appropriate actions, which may include reissuing cards for customers," Janis Tarter, a spokesman for the New York-based bank, said in a statement.
Trish Wexler at JPMorgan, the biggest U.S. credit-card lender, had no immediate comment.
The incident raises questions about retailers' slow adoption of "chip and PIN" technology, which makes cards more secure, said Michael Sutton, vice president of security research for San Jose, Calif.-based cloud-computing company Zscaler.
"Retailers are now seeing firsthand why the technology is necessary and how technology costs pale in comparison to the direct and indirect costs associated with a major data breach," Sutton said.
Some companies have been slow to update their systems with the technology, also known as EMV -- short for Europay-MasterCard-Visa, the companies that first backed the approach. Credit-card networks have set an October 2015 deadline for most U.S. merchants to upgrade payment systems.
EMV is considered more secure because it's harder to copy account numbers and security codes from chips than from the magnetic strips on most cards used in the U.S. EMV cards create a unique code for each transaction, making them more difficult to hack or counterfeit than striped cards.
"The technology has not been widely adopted in the U.S., primarily due to lobbying by retailers who were concerned about the cost of implementing the technology," Sutton said.
Brian Krebs, the independent journalist who uncovered the hacker attack at Target last year, said Tuesday that there's evidence that the latest stolen credit-card data is linked to Home Depot stores.
Hackers struck Minneapolis-based Target last year during the height of the Christmas shopping season, tarnishing its reputation and hampering sales.
An investigation by Bloomberg Businessweek found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit-card numbers -- along with 70 million addresses, phone numbers and other pieces of personal information.
In Home Depot's case, the suspected breach may have occurred in late April or early May and could encompass all 2,200 of the company's stores in the U.S., Krebs said. That means it could be larger than the Target incident, Krebs said.
"The criminals are getting smarter faster than the companies," said Jaime Katz, an analyst at Morningstar in Chicago. If the Home Depot breach is on the same scale as Target's incident last year, "there is obviously significant concern," she said.
Information for this article was contributed by Matt Townsend, Chris Strohm, Dakin Campbell and Hugh Son of Bloomberg News and by Glen Chase of the Arkansas Democrat-Gazette.
A Section on 09/04/2014