home depot data breach

Home Depot data breach likely to strike 60 million and cause over $2 billion in fraud

Update 9/18: Home Depot has released its official number – 56 million payment accounts are at risk (press release, .pdf). Krebs reports that self-service POS systems currently are the main culprit in the investigation.

On September 2, we alerted nearly 100,000 BillGuard users who shopped at Home Depot during the previous five months that their payment information may have been exposed in an apparent data breach.

Since then, Home Depot has confirmed the breach, but not its scope. Security blogger Brian Krebs, who broke the story, has produced strong evidence that the breach affected nearly every Home Depot store in the U.S., and given the long timeframe, Krebs believes this breach could end up significantly larger than Target’s.

In the past week we’ve been crunching our data – drawn from over one million active card accounts on BillGuard and sixteen data breaches in the past year – to assess the scope of the Home Depot breach and to find any clear patterns of fraud, as a first step to better protect BillGuard users.

How much damage was done?

Based on our data, Home Depot’s statements, Krebs’ analysis, and industry analysis, we believe that approximately 60 million accounts were exposed in the Home Depot breach, and estimate that $2-3 billion in fraud is likely to strike these compromised accounts overall.

The factors contributing to this, and the basis for our estimate for each:

  • Number of cards likely exposed to the hackers: 60 million, based on BillGuard users’ exposure and adjusted to the overall cardholding population. This is consistent with New York Times reporting based on a source familiar with the investigation.
  • Percentage of those accounts that will likely experience fraudulent use of their stolen card: 10-15%, based on BillGuard data from this breach and previous breaches. This is roughly consistent with analyst data from Jeffries, but considerably lower than fraud occurrence data presented by Javelin.
  • Average amount of fraud posted to defrauded accounts: $332, based on BillGuard data from this breach and previous breaches.

What patterns are we seeing?

BillGuard users are reporting fraudulent charges from a variety of sources, both online and brick-and-mortar. Charges range from the five dollar range to tens of thousands of dollars. Some report a single fraudulent charge at one merchant, while others were hit by multiple charges from multiple merchants.

We’ll update this post when we can share specific noteworthy patterns of the fraudulent activity.