Home Depot Inc., the largest home- improvement chain, fell as much as 3.4 percent in New York trading after saying it was working with banks and law enforcement to investigate a possible data breach.
"We're looking into some unusual activity," Paula Drake, a spokeswoman for the Atlanta-based company, said in an e-mailed statement. "We are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately."
Brian Krebs, the independent journalist who uncovered a hacker attack at Target Corp. last year, reported that a "massive" batch of stolen credit- and debit-card information went on sale this morning. There's evidence that the cards are linked to Home Depot stores, Krebs said on his website, KrebsOnSecurity.
Home Depot shares dropped as low as $89.85 in New York. The stock had climbed 14 percent this year before today.
"The criminals are getting smarter faster than the companies," said Jaime Katz, an analyst for Morningstar Inc. in Chicago. "If it is something on the scale of Target, there is obviously significant concern."
Target, the Minneapolis-based discount chain, has shown how devastating a data breach can be to a retailer. Hackers struck the company last year during the height of the holiday shopping season, tarnishing its reputation and hampering sales. Target's slow reaction to the incident also drew criticism from lawmakers, and the company ousted its chief executive officer in May. Brian Cornell, a former PepsiCo Inc. executive who took the helm at Target last month, is now working to pick up the pieces.
An investigation by Bloomberg Businessweek found Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers along with 70 million addresses, phone numbers and other pieces of personal information.
In Home Depot's case, the suspected breach may have occurred in late April or early May and could encompass all 2,200 of the company's stores in the U.S., Krebs said. That means it could be larger than the Target incident, he said.
The attack also may have been performed by the same group of hackers that infiltrated Target, possibly as retribution for the U.S. and Europe placing sanctions on Russia, Krebs said.
Stolen cards were marketed on a website by the hackers as being "European Sanctions" and "American Sanctions," he said.
Other chains have suffered hacker attacks in recent months, including the supermarket company Supervalu Inc. and the Asian- themed eatery P.F. Chang's China Bistro Inc.