BillGuard said losses will be at least $2 billion, based on an analysis of what is known about the breach and what has happened following 16 such data leaks in the past year. Initial estimates after the Home Depot breach was first reported in early September suggested the hackers, who are thought to have sold customer payment data on the black market, had made $50 million. Home Depot confirmed the breach last week.
BillGuard has access to more than a million credit accounts through subscribers to the service, which is designed to alert consumers when a questionable transaction occurs. It also uses crowd-sourcing from its users, who flag transactions to identify patterns of concern.
"Home Depot shoppers deserve to know by now if they were exposed during the breach, but as with Target and other large retail breaches, it's not easy for the retailer to track down customers whose info was compromised on their systems," BillGuard CEO Yaron Samid said. "That's an additional frustration from the consumer's perspective."
Based on prior thefts of customer information, BillGuard predicted that an average of $332 in fraudulent charges will be made using the stolen Home Depot accounts. And such transactions are already beginning to show up.
Charges are for as little as $5, but some customers have reported thousands of dollars being put on their cards, BillGuard said. Small charges are commonly found on cards that were accessed in a breach.
"Cardholders should be on the lookout for micro-charges, typically below $10, that they don't recognize," Samid said. "These could be card validation tests that hackers use to ensure a stolen card is still active before they sell it online. Validated cards fetch a premium on the black market. If you don't recognize it, call the number on the back of the card and let your bank know."
Thieves make these charges in small increments because they are less likely to trigger alarms and lead a consumer to shut down their account. About 10 to 15 percent of the affected cards will be used by criminals, BillGuard predicted.
Consumers should keep a close eye on account activity, and quickly report to their card issuer any unusual activity.
"The most important thing is to check your card activity regularly, line-by-line, for any charges you don't recognize." Samid said. "You generally are not liable for fraudulent charges on your cards, but you have to find it first - and automatic systems at banks and card providers catch less than half of known fraud."
While Home Depot stock hasn't taken a big hit so far, analysts have suggested that is still might if consumer confidence is rattled and sales slow as happened at Target following the data theft from that retailer. While card-issuing banks are initially responsible for covering fraud losses, they can turn that around and assess retailers for not adequately protecting their data.