Home Depot Inc. late Thursday disclosed that approximately 53 million of its customers' email addresses had also been compromised as part of the company's recent data breach.
The disclosure is yet another blow to customer trust in the company that two months ago disclosed one of the largest retail data breaches in the U.S. to date. Following weeks of speculation, the Atlanta-based retailer confirmed in September that it was the victim of a data breach that led to the compromise of approximately 56 million payment card numbers to become the largest publicly reported retail payment card breach in history.
Home Depot clarified in a statement on the company's website Thursday that attackers had swiped a file that contained the massive haul of email addresses, though the company emphasized that the file did not contain password details or other personal information.
Customers that may have been affected by the latest update were also notified via email yesterday, receiving the following message:
Dear Valued Customer,
The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.
In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.
Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.
The Home Depot
Perhaps surprisingly, Home Depot also confirmed its previous 2014 fiscal guidance for investors, with the company expecting growth of around 4.8% to close out the year. That estimate includes all data breach investigation costs, the credit monitoring services provided to customers, increased call center staffing and legal and professional service fees. In comparison, the data breach that struck Minneapolis-based retailer Target during the 2013 holiday season precipitated a string of bad financial results, including $146 million in breach-related expenses.
Adam Kujawa, head of malware intelligence for San Jose, Calif.-based antimalware vendor Malwarebytes Labs, said in an emailed statement that spear phishing is the most likely threat that affected Home Depot customers will face.
Still, if other personal information indeed wasn't included in the heist, Kujawa said that any phishing attempts are unlikely to be as convincing to victims as those in the recent JP Morgan Chase breach, which saw names and home addresses stolen in addition to emails.
"Spear phishing tactics utilizing the knowledge that the e-mail addresses belong to Home Depot customers is a likely outcome, resulting in millions of people potentially receiving fake e-mails claiming to be from Home Depot requesting either the opening of an infected/malicious file or requesting login credentials," said Kujawa via email. "Of course these emails might just be sold to a spam agency looking for more potential customers to push their advertisements and junk mail onto."