Dear Mr. Chairman:
I am writing to request that the Committee hold a bipartisan hearing to examine a data security breach that may have compromised the personal information of millions of American consumers who shopped at Home Depot this year.
On Monday, Home Depot issued the following public statement:
The Home Depot, the world’s largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.[1]
Home Depot’s statement highlighted “the increasing threat of cyber-attacks on the retail industry."[2] Press reports this week regarding this data security breach have warned that hackers “have for some time been scanning merchants’ networks for ways to gain remote access, such as through outside contractors who have access to a computer network."[3]
Home Depot has more stores in the United States and a higher total annual sales volume than Target, which experienced a similar data security breach late last year. Home Depot operated 1,977 U.S. retail stores and had total sales of $78.8 billion in fiscal year 2013.[4] By comparison, Target operated 1,793 stores in the U.S. as of Feb. 1, 2014, and had total sales of nearly $73 billion in 2013.
Home Depot also appears to have experienced a data security breach for a longer period of time than the data security breach that occurred at Target. The data security breach at Target lasted from November 27 through Dec. 15, 2013, and may have affected approximately 40 million credit and debit card accounts.[5] According to press reports, the cyber-attack on Home Depot potentially “went unnoticed for as long as five months," and the total number of credit and debit card accounts that have been compromised is not yet known.[6]
Over the past year, the Committee has been investigating the security of the Healthcare.gov website. This investigation has involved numerous public hearings, more than a million pages of documents from federal agencies and private contractors, and 18 transcribed interviews. To date, however, no personally identifiable information has been compromised as a result of malicious cyber-attacks, although outside actors have repeatedly tried.[7]
Cybersecurity threats are ongoing challenges for both the federal government and the private sector. For these reasons, I believe an investigation of the data security breach at Home Depot will help the Committee learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.
Thank you for your consideration of this request.
Sincerely,
Elijah E. Cummings
Ranking Member
-------------------------------
[1] Home Depot, The Home Depot Provides Update on Breach Investigation (Sept. 8, 2014) (online at https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf).
[2] Id.
[3] Home Depot Data Breach Could Be the Largest Yet, New York Times (Sept. 8, 2014) (online at https://bits.blogs.nytimes.com/2014/09/08/home-depot-confirms-that-it-was-hacked/?_php=true&_type=blogs&_r=0).
[4] Home Depot, Form 10-K for the Fiscal Year Ended Feb. 2, 2014 (online at https://phx.corporate-ir.net/phoenix.zhtml?c=63646&p=irol-reportscurrent) (filed Mar. 27, 2014).
[5] Target, Form 10-K for the Fiscal Year Ending Feb. 1, 2014 (online at https://corporate.target.com/annual-reports/2013/10-K/form-10-K) (filed Mar. 14, 2014).
[6] Home Depot Data Breach Could Be the Largest Yet, New York Times (Sept. 8, 2014) (online at https://bits.blogs.nytimes.com/2014/09/08/home-depot-confirms-that-it-was-hacked/?_php=true&_type=blogs&_r=0).
[7] See, e.g., HealthCare.gov Server Hacked. But HHS Says No Consumer Information Taken, Washington Post (Sept. 4, 2014) (online at www.washingtonpost.com/blogs/the-switch/wp/2014/09/04/healthcare-gov-server-hacked-but-hhs-says-no-consumer-information-taken/) (reporting that although a test server was hacked, no personally identifiable information was compromised).
