Dive Brief:

• A week after Krebs on Security reported the possible breach of Home Depot’s payment systems, the home improvement retailer Monday confirmed the breach and tried to assure customers that debit cards were not compromised.

• Cyber-journalist Brian Krebs, however, has reported that there’s been a surge in fraudulent ATM withdrawals in the wake of the breach.

• Krebs notes that the data obtained through Home Depot’s payment systems is now on sale on the internet and has allowed access to customers’ names, and city, state, and ZIP code information, which enables thieves — and their customers — to not just use customer cards at retailers, but also withdraw funds from ATM machines.

Dive Insight:

This hack, which Brian Krebs last week rightly predicted could be bigger than last year’s Target breach, is a disaster that is bad news for consumers and retailers alike, coming just weeks ahead of this year’s holiday retail season. Home Depot officially is saying that the extent of the breach is unknown, but the New York Times reports that more than 60 million cards may have been compromised, compared to the 40 million affected by the Target event. Notably, it was Krebs who revealed both breaches, which occurred months before they were known to the affected retailers themselves.

“The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social Security number, birthday and the expiration date of their stolen card is remarkable, and suggests that most banks remain clueless or willfully blind to the sophistication of identity theft services offered in the cybercrime underground,” Krebs writes in his analysis of the Home Depot theft.  “I know of at least two very popular and long-running cybercrime stores that sell this information for a few dollars apiece. One of them even advertises the sale of this information on more than 300 million Americans.”