In confirming the data breach, Home Depot said Monday that brick and mortar stores in U.S. and Canada have been affected, while stores in Mexico and transactions that occurred on HomeDepot.com seem to have been spared. The company said that it is investigating transactions from April 2014 going forward -- that is, transactions that have occurred in the past five months -- and that while the full scope, scale and impact of the breach has yet to be determined, "there is no evidence that debit PIN numbers were compromised."
The retailer is attempting to aggressively tackle the problem, and has already offered free identity protection services, including credit monitoring, to customers who used a debit or credit card in a Home Depot store from April onward. In a "Frequently Asked Questions" page on the company's website, Home Depot said that it "strongly" encourages its customers to "review your payment card statements carefully and call your bank or card issuer if you see any suspicious transactions. The policies of the payment card brands such as
In the release confirming the breach, Home Depot chairman and CEO Frank Blake stated, "We apologize for the frustration and anxiety this causes our customers," adding that he thanks customers for their patience as his company tries to resolve the issue. "We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasize that no customers will be responsible for fraudulent charges to their accounts," he said.
Looming in the background of Home Depot's data breach is the Target data breach, which occurred in late 2013 but whose repercussions are still rippling, with Target announcing early last month that its breach cost them $148 million, roughly 11 cents per share (and, not to mention, consumer trust). As FORBES' Sam Sharf reported last week, Home Depot could be looking at a similarly-sized bill:
Based on Target’s 11 cent per share cost ($148 million less $38 million in insurance coverage) Schick believes a breach would cut roughly 7 cents from Home Depot’s 2014 earnings per share.
Schick added, “Perhaps more importantly, TGT experienced meaningfully weaker sales (-2% to -6%) following the breach announcement despite significant promotional activity (before sales improved after the holiday season) though there were many negative factors at work relative to TGT revenue at holiday.” A sales decline at Home Depot could have a five to 10 cent impact on earnings per share, said Schick. Yet as consumers become more accustomed to breaches of this scale there is a “diminishing impact” so he would err on the low end of that range.
In a research note released Monday evening, S&P Capital IQ analyst Efraim Levy said that "if the breach to Home Depot is on the scale of Target's 2013 data breach, the cost to Home Depot could run into the hundreds of millions of dollars." Reiterating Home Depot's "hold" rating, Levy also expressed some cautious optimism for the company, saying, "We consider Home Depot to be financially equipped to deal with a breach of that scale or larger."
Following the confirmation of the data breach, shares of Home Depot, which closed regular trading with an 0.9% loss, ticked down another 0.9% in Monday's after-hours trading session. The stock is down 2.5% since first disclosing that a breach may have occurred; year-to-date, it's up 11%.
