Cummings Requests Hearing on Recent Data Security Breach at The Home Depot

Sep 11, 2014
Press Release

Washington, DC —Today, Rep. Elijah E. Cummings, Ranking Member of the House Committee on Oversight and Government Reform, sent a letter to Chairman Darrell Issa requesting that the Committee hold a bipartisan hearing to examine a recent data security breach that may have compromised the personally identifiable information of American consumers who shopped at Home Depot throughout the year.

Cummings’ letter explained that Home Depot has more stores in the United States and a higher total annual sales volume than Target, which experienced a similar data security breach late last year.  Home Depot also appears to have experienced its data breach for a longer period of time than the security breach that occurred at Target.

Cummings asked Issa to hold a hearing with officials from Home Depot to “help the Committee learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.”

Cummings had requested a bipartisan hearing on the Target data security breach in January, but that hearing was never held.

On Tuesday, Cummings sent Issa a similar letter asking Issa to hold a hearing to investigate the data security breach at Community Health Systems Inc., the nation’s largest for-profit hospital chain, which recently experienced the largest hacking-related health information breach ever reported.  To date, the Chairman has not responded to the letter.

Click here and see below to read the full letter.

September 11, 2014

The Honorable Darrell Issa

Chairman

Committee on Oversight and Government Reform

U.S. House of Representatives

Washington, DC  20515

Dear Mr. Chairman:

            I am writing to request that the Committee hold a bipartisan hearing to examine a data security breach that may have compromised the personal information of millions of American consumers who shopped at Home Depot this year.

            On Monday, Home Depot issued the following public statement:

            The Home Depot, the world’s largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.[1] 

            Home Depot’s statement highlighted “the increasing threat of cyber-attacks on the retail industry.”[2]   Press reports this week regarding this data security breach have warned that hackers “have for some time been scanning merchants’ networks for ways to gain remote access, such as through outside contractors who have access to a computer network.”[3]

            Home Depot has more stores in the United States and a higher total annual sales volume than Target, which experienced a similar data security breach late last year.  Home Depot operated 1,977 U.S. retail stores and had total sales of $78.8 billion in fiscal year 2013.[4]  By comparison, Target operated 1,793 stores in the U.S. as of February 1, 2014, and had total sales of nearly $73 billion in 2013. 

            Home Depot also appears to have experienced a data security breach for a longer period of time than the data security breach that occurred at Target.  The data security breach at Target lasted from November 27 through December 15, 2013, and may have affected approximately 40 million credit and debit card accounts.[5]  According to press reports, the cyber-attack on Home Depot potentially “went unnoticed for as long as five months,” and the total number of credit and debit card accounts that have been compromised is not yet known.[6]

            Over the past year, the Committee has been investigating the security of the Healthcare.gov website.  This investigation has involved numerous public hearings, more than a million pages of documents from federal agencies and private contractors, and 18 transcribed interviews.  To date, however, no personally identifiable information has been compromised as a result of malicious cyber-attacks, although outside actors have repeatedly tried.[7]

            Cybersecurity threats are ongoing challenges for both the federal government and the private sector.  For these reasons, I believe an investigation of the data security breach at Home Depot will help the Committee learn from these witnesses about security vulnerabilities they have experienced in order to better protect our federal information technology assets.

            Thank you for your consideration of this request.

                                                                        Sincerely,

                                                                        Elijah E. Cummings

                                                                        Ranking Member

 

[1] Home Depot, The Home Depot Provides Update on Breach Investigation (Sept. 8, 2014) (online at https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf).

[2] Id.

[3] Home Depot Data Breach Could Be the Largest Yet, New York Times (Sept. 8, 2014) (online at http://bits.blogs.nytimes.com/2014/09/08/home-depot-confirms-that-it-was-hacked/?_php=true&_type=blogs&_r=0).

[4] Home Depot, Form 10-K for the Fiscal Year Ended February 2, 2014 (online at http://phx.corporate-ir.net/phoenix.zhtml?c=63646&p=irol-reportscurrent) (filed Mar. 27, 2014).

[5] Target, Form 10-K for the Fiscal Year Ending February 1, 2014 (online at https://corporate.target.com/annual-reports/2013/10-K/form-10-K) (filed Mar. 14, 2014).

[6] Home Depot Data Breach Could Be the Largest Yet, New York Times (Sept. 8, 2014) (online at http://bits.blogs.nytimes.com/2014/09/08/home-depot-confirms-that-it-was-hacked/?_php=true&_type=blogs&_r=0).

[7] See, e.g., HealthCare.gov Server Hacked.  But HHS Says No Consumer Information Taken, Washington Post (Sept. 4, 2014) (online at www.washingtonpost.com/blogs/the-switch/wp/2014/09/04/healthcare-gov-server-hacked-but-hhs-says-no-consumer-information-taken/) (reporting that although a test server was hacked, no personally identifiable information was compromised).

113th Congress