With 2,200 stores in the United States and Canada alone, the data breach that The Home Depot, Inc. (NYSE:HD) has admitted to could turn out to be the largest in history as it goes back to April and was only recently discovered. That discovery was made by security blogger Brian Krebs, the same man who identified the Target Corporation (NYSE:TGT) data breach that ultimately led to the resignation of the company’s CEO.

home depot logo

Apologies from Home Depot

The Home Depot, Inc. (NYSE:HD), in a recent press release, apologized “for the frustration and anxiety this causes our customers.”

“I want to thank them for their patience and support as we work through this issue,” said chairman Frank Blake.

After making the breach public, Mr. Krebs has said that a number of banks have subsequently contacted him to tell him that they had witnessed a sharp increase in fraudulent ATM withdrawals.

“Experts say the thieves who are perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cybercrime shops online,” he wrote recently in a follow up to his original discovery.

“The zip code data is important because it allows the bad guys to quickly and more accurately locate the social security number and data or birth of cardholders using criminal services in the underground that sell this information,” said Mr Krebs.

Where does the data go?

The card and customer information is available for sale on a number of underground websites including Rescator.cc, a site that allows users to comfortably and confidentially acquire this type of data. In addition to the cardholder’s full name and address the site is also including the zip code of the store the information was obtained.

“The zip code data is important because it allows the bad guys to quickly and more accurately locate the social security number and data or birth of cardholders using criminal services in the underground that sell this information,” said Mr Krebs.

When thieves are in possession of this information they can call the automated systems that many banks have to change the PIN number on the card then make a counterfeit.

The breach came through the use of a malware program named BlackPOS which pulled the data from the cards after they were swiped on machines running Windows.

The breach underscores the fact that the United States is considerably more vulnerable to these types of attacks versus, say, Europe where chip-and-pin and chip-and-sign systems are more commonly used.