If you've shopped at The Home Depot (NYSE:HD) over the past five months, you'd better check your bank statements. Because on Monday, the home improvement retailer confirmed its payment data systems at brick-and-mortar stores in the U.S. and Canada have suffered a breach dating as far back as April 2014.
To its credit, The Home Depot says there is no evidence of debit PIN numbers being compromised, and this doesn't affect customers who shopped at its stores in Mexico or online at HomeDepot.com. It's also aggressively working to foster goodwill with consumers by offering free identity protection services, including credit monitoring, and insists no customers will be held liable for fraudulent charges.
Echos of Target's massive breach
At the same time, the news also arrived a full six days after security blog KrebsOnSecurity first reported signs of the potential breach. Specifically, the blog claims sources close to the investigation say the breach appeared to stem from a new variant of the malware responsible for exposing 40 million debit and credit card accounts at Target (NYSE:TGT) over a three-week period last year. What's more, the cards in question first turned up for sale roughly a week ago in multiple batches on the same underground cybercrime website that sold Target's stolen data.
However, KrebsOnSecurity warns, given the comparatively long time span during which this malware has apparently been siphoning data from The Home Depot's systems, this new breach "could be many times larger than Target."
This is going to be expensive
So what does that mean for Home Depot? First and foremost, this will likely be really, really expensive.
Target, for example, has already incurred $236 million in gross expenses since its own debacle unfolded in the fourth quarter of last year. Of course, Target's insurance chipped in $90 million to take away some of that sting, bringing its total net breach-related expenses so far down to "just" $146 million. What's more, Target expects the claims to continue going forward, though management insists they are not estimable. That's also not to mention the breach undoubtedly played at least a partial role in the resignation of Target's CEO in May.
And that's not the only way these breaches damage retailers. Target has also seen a slower trend in debit REDcard applications since the breach. This, in turn, has led to slower growth in REDcard sales penetration, which stood at 28.8% during Target's second quarter. It seems reasonable, then, to expect a similar trend will unfold for penetration of Home Depot's private label credit card portfolio, which stood at 23.2% as a percentage of total sales last quarter.
Unlike Target, however, Home Depot uses its credit cards primarily as a financing tool to secure big-ticket purchases. If consumers and contractors aren't comfortable using those cards or applying for new ones going forward, it could easily affect Home Depot's top and bottom line in a big way.
Foolish bottom line
Home Depot says it "continues to determine the full scope, scale, and impact of the breach." So unfortunately, short of knowing this will be a long, expensive battle, it's virtually impossible at this point to precisely estimate the extent of the fallout. For now, investors will need to hurry up and wait for the next update from the home improvement retail juggernaut.
Steve Symington has no position in any stocks mentioned. The Motley Fool recommends Home Depot and Nike. The Motley Fool owns shares of Nike. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.