The home improvement chain also said the malware responsible for the breach has been removed from all stores.
An unknown number of cards are involved in the incident.
Less than 1.5 million credit and debit card accounts may be at risk following the revelation last week that criminals gained access to a portion of payment processor Global Payments Inc.’s network.
Global Payments says it discovered the intrusion in mid-March and “immediately engaged external experts in information technology forensics and contacted federal law enforcement,” as well as payment card brands. Global Payments did not disclose the types of transactions involved.
“It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” says Paul R. Garcia, Global Payments chairman and CEO.
Criminals appear to have retrieved sensitive card data that includes the card numbers, expiration dates and other data, Global Payments says, but did not gain access to cardholder names, addresses or Social Security numbers. Global Payments says it appears the incident has been contained, and is confined to North America. Global Payments says it annually processes approximately five billion transactions worldwide.
In a statement MasterCard says it is “investigating a potential account data compromise event of a U.S.-based entity,” and it has alerted payment card issuers about some MasterCard accounts that are at risk. Visa says it, too, is investigating. Both card brands say their systems have not been compromised.
Just what the investigation reveals will be interesting, says Julie Conroy McNelley, a fraud and security analyst at consulting firm Aite Group LLC, especially if the criminals retrieved the full card number and security code, known as the PAN data and CVV, respectively. In that case, criminals could use the stolen card data to make purchases from e-retailers, McNelley says.
E-commerce retailers should be alert to criminals using the stolen card data, says Avivah Litan, an analyst at Gartner Inc. "These stolen cards could be used at their sites," Litan says. The card brands are obligated to tell the issuing banks which card numbers are involved, but not retailers, she says. "They don't get any fair warning," she says. That means a transaction made with stolen card data still could be authorized, and later declined, she says. That puts the onus on an e-retailer's fraud prevention systems. "No one is looking after them except themselves."
Criminals continue to pursue payment card data because of the potential financial gain, McNelley says. “There’s so much financial incentive for criminals to go after this data,” she says. “They are nimble, creative and continue to advance their attacks.”
At the Internet Retailer Conference & Exhibition 2012, Tim Toews, consultant and former chief information officer, Office Depot Inc. , will speak in a session entitled “Blocking the hackers: The case for preventive action.”