A black market website is now selling nearly 100,000 credit and debit card numbers stolen from Home Depot stores in Maine, after the largest data breach ever perpetrated in the state.

The number of stolen card numbers for sale has nearly doubled over the past two weeks as the data thieves have added more batches to their online storefront. Concern over compromised personal data has led Maine credit unions to issue thousands of new cards, while banks are taking a more measured approach.

As of this week, about 99,500 card numbers, issuing bank names, expiration dates, cardholder names and addresses, and magnetic stripe data stolen from the 11 Home Depot stores in Maine were listed for sale. When the Press Herald first reported the sale of Mainers’ card data on Sept. 4, about 52,000 card numbers were listed on the site. The Press Herald has declined to name the website because it is a criminal enterprise and the risks of visiting the site are unknown.

No previous consumer data theft in Maine compares to the latest breach, said Martha Currier, complaint examiner for the Maine Office of the Attorney General’s Consumer Protection Division.

“It’s definitely the biggest data breach Maine has seen from a retailer,” Currier said. “It’s bigger than the Target breach.”

The breach, which Home Depot confirmed Sept. 8, affected more than 99 percent of the chain’s roughly 2,200 stores in the U.S. and Canada. The total volume of card numbers stolen is unknown, but it is estimated to be in the tens of millions. The retailer said in a notice posted on its website that the data theft occurred over a period of months beginning in April.


“Since then, the company’s internal IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to rapidly gather facts and provide information to customers,” the notice says.

The consumers whose card numbers were stolen rarely are affected financially by any fraudulent activity on their accounts. Usually it is the banks and credit unions that have to cover losses associated with data theft. As a result, the growing frequency and scope of such crimes have become a major concern for financial institutions, industry representatives have said.

The total cost to card issuers from the Home Depot breach and recent Target data heist has yet to be determined, but a 2008 survey by the Maine Bureau of Financial Institutions in the wake of the Hannaford and TJX data breaches found that related losses reached more than $2 million, most of it from the Hannaford breach.

John Murphy, president of the Maine Credit Union League, said credit unions in Maine already are sustaining losses from fraudulent card activity, but certain facts have yet to be determined, such as the ultimate total cost and how much of it is connected to the Home Depot heist.

“Unfortunately, we’ve had multiple breaches,” he said.

For the moment, Maine’s credit unions are focused on replacing account holders’ cards to prevent further theft, Murphy said. “We’ve issued thousands of cards to members so that they are not inconvenienced,” he said.


Banks are taking a different tack. Chris Pinkham, president of the Maine Bankers Association, said his members are not seeing a rush of requests for new cards, nor are they issuing new cards proactively.

“It’s five years after the TJ Maxx (TJX) breach and the automated systems built to monitor live transactions have been beefed up to such a sophisticated level – with multiple layers of monitoring – that we are taking a more wait-and-see approach,” he said. “Of course we want to hear from any consumer who sees unusual activity (on their account), and some banks are streaming banners on their websites asking consumers to report suspicious activity, but we aren’t hearing a big response.”

According to a 2011 Experian report, the average American consumer has 3.5 credit cards. Lloyd LaFountain, superintendent of the Maine Bureau of Financial Institutions, said that although the state has no hard numbers, he expects Mainers would likely have fewer cards than the national average. With a population of 1.3 million, Maine consumers would likely hold somewhere between 3 million and 4.5 million cards.

Visa and MasterCard already have given retailers a September 2015 deadline to implement next-generation card readers that scan an embedded microchip in the card for added security. Those that fail to upgrade their point-of-sale systems to the new standard by the deadline will be liable for all losses associated with customer data theft, they have warned.

Still, it will take time for financial institutions to issue the new chip-embedded cards to everyone, and for retailers to replace their existing scanners with the more sophisticated ones.

The string of recent data breaches at major retailers such as Home Depot, Target, Neiman Marcus and Shaw’s is likely to put added pressure on them to upgrade their security systems, banking analysts have said.

In the wake of the data breach, Home Depot has vowed to install “chip and PIN” card scanners in all of its stores by the end of this year. The retailer also is offering a year of free credit-monitoring service to all affected customers.

Comments are no longer available on this story