Home Depot the largest retail breach ever?: A look at the numbers

By Chad Hemenway on September 5, 2014

What would it mean if Home Depot turns out to be the largest retail data breach ever, as some have suspected?

Basically, it means a significant portion of the US population–more than 20 percent–could be affected.

The infamous top spot is currently occupied by Target. The third-largest retailer in the US said it had its point-of-sale systems hacked from November 27 to December 15, 2013.

The breach exposed debit and credit card data of as many as 40 million customers, plus an additional 70 million records with other customer information. Advisen Loss Insight combines the numbers to come up with an affected count of 110 million but Target spokeswoman Molly Snyder told Advisen each are two distinct pieces of the breach and there could some overlap.

Even if there was a total overlap, 70 million records containing customer information–payment card or personal–was stolen.

This still put Target tops among hacked retailers, having affected a number of people equal to more than 20 percent of the US population (about 314 million).


Brian Krebs, author of the cybersecurity blog Krebs on Security, was told by banks that they were seeing stolen payment cards being sold on underground websites. All roads were leading to a breach at Home Depot, which now says it is looking into “unusual activity.”

Krebs, who was first to uncover the Target cyber breach, looked into the cards being sold online and concluded that nearly all of Home Depot’s 2,200 US stores are involved in the breach. And the breach may have been unrealized for far longer than Target–at least several months rather than several weeks.

Home Depot has not officially confirmed a breach, but when it does it can expect lawsuits–many of them. Within hours of Target’s public announcement on December 19, 2013 class-action lawsuits were filed, as shown in the chart Advisen kept of class action lawsuits.

ALSO READ: Shareholder hits Target brass with D&O lawsuit for ‘bungling’ breach | Banks, credit unions tally more than $200M in Target costs | Target: Q2 data-breach losses at $148M

The suits have since been consolidated by a US Judicial Panel on Multidistrict Litigation in the retailer’s home state of Minnesota. According to Advisen data, Minnesota was home to the most filed lawsuits.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or chemenway@advisen.com.