Victim to a mysterious cyber attack, Home Depot struggles to find out what went wrong

Home Depot is sweating bullets.

Knee deep in a Day 2 mysterious investigation into a massive cyber breach that likely affected the credit data of millions of its users and which reportedly first happened in May, the Georgia-based home improvement chain is now only offering wan assurances to an increasingly skeptical public that everything is under control.

When asked about how Home Depot is treating the insecurity, spokesperson Paula Drake told VentureBeat,

“Our forensics and security teams have been working around the clock since we first became aware of a potential breach Tuesday morning, working with leading IT security firms, including Symantec and FishNet Security, in that regard. There is no higher priority for us at this time than to rapidly gather the facts so that we can provide answers to our customers. We know these types of incidents can cause frustration and concern, and we apologize for that.”

Chief executive Frank Blake is apparently keeping a low profile and has made no public statements at this time. Incredibly, Home Depot, with a market cap of $122 billion, only learned of the massive cyber broadside when American and European banks noticed thousands of credit cards for sale on cyber criminal websites like Rescator.cc and traced them back to Home Depot.

Malwarebyte’s head of intelligence Adam Kujawa told VentureBeat Tuesday the attack bore the hallmarks of the Russian crew who breached the point-of-sales network at Target in December and stole over 70 million customer credit cards for $100 million in losses. That attack cost Target CEO Gregg Steinhafel his job.

Yesterday, Drake said Home Depot was working with law enforcement agencies in the investigation, although she refused to say which ones. (Traditionally, in large-scale attacks like this, the FBI and US Secret Service work the cases.)

The rest of Home Depot’s release on the brewing tsunami below:

“It’s important to note that in the event we determine there has been a data breach, our customers will not be responsible for any possible fraudulent charges. The financial institution that issued the card or Home Depot are responsible for those charges. We will also offer free identity protection services, including credit monitoring, to any potentially impacted customers.”

Chris Weltzien, chief executive of security outfit 6Scan, said the attack was the talk of security specialists.

“The latest batch of stolen cards are being sold under the name ‘American Sanctions,’ and initial sanctions for the annexation of Crimea [were] put in place in April/May time frame,” Weltzien wrote in an email. “Home Depot does a huge business in their own credit cards.”

For the millions of Home Depot customers frantically checking their credit card statements, the ultimate onus is with the retailer, who said they’d pick up the check for any losses incurred by the attack. Drake’s statement, the rest of it below, offers little directive other than to call up your bank:

“Customers should closely monitor their accounts and reach out to their card issuer should they notice any unusual activity.”

With the breach purportedly happening in the spring and the company learning of it through third parties, it would go a long way toward investor confidence if Blake made a statement to the concerned public.

If not, his CTO should be polishing his resume.