(Updates to adds details on the lawsuit)
By Karen Freifeld
NEW YORK, Sept 9 (Reuters) - Two senators asked the federal government to investigate a data breach on the payment-card processing systems of Home Depot Inc and five U.S. states launched a probe into the matter on Tuesday as fallout from the attack intensified.
The retailer has yet to say what was stolen, though experts fear the attackers may have gotten away with more than 40 million payment cards, which would exceed the number taken in last year’s unprecedented attack on Target Corp.
Home Depot said customers who shopped at its stores as far back as April were exposed, meaning the breach extended for more than four months including the busy summer season. That is far longer than the three-week Target breach.
An Illinois customer sued Home Depot saying the company failed to properly safeguard customer data from hackers, a lawsuit filed in a Chicago federal court showed on Tuesday.
The increased government scrutiny could be another sign of trouble for Home Depot, even though it has yet to determine the full scope of the breach, analysts warned.
“This sounds worrisome,” said Efraim Levy, senior equity analyst at Standard & Poor‘s.
The news also caught the attention of credit ratings agency Moody‘s, which said the attack is a “negative” factor, though there was no immediate rating impact.
The effort by five U.S. states was disclosed just a day after the largest U.S. home improvement retailer confirmed it had been breached.
A spokeswoman for Connecticut Attorney General George Jepsen said that California, Connecticut and Illinois would lead the multistate effort. New York and Iowa said they would also participate.
“We have had initial contact with the company,” said Jaclyn Falkowski, director of communications for Jepsen.
Meanwhile, U.S. senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut called on the Federal Trade Commission to investigate.
“If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information,” the senators said in a statement. “Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act.”
An FTC spokesman declined comment.
The agency investigates breaches but tends to focus on cyberattacks that are partially the result of poor security on the part of the victim.
Home Depot spokeswoman Paula Drake said in response to the possible FTC probe that the company will continue to cooperate with lawmakers and others. She declined to comment on the multistate investigation.
The retailer said on its website that banks and law enforcement warned of unusual activity related to its payment systems on Sept. 2, prompting it to hire security experts who confirmed it had been breached.
When asked if investigators had confirmed the attackers had been removed from the company’s network, Drake declined to comment.
The company has advised customers to examine statements carefully for unusual charges, saying they will not be held responsible for fraudulent activity. It has arranged for free credit monitoring.
Home Depot shares fell 2.1 percent to $88.93 on Tuesday, wider than the 0.7 percent decline in the S&P 500 Index (Additional reporting and writing by Nandita Bose in Chicago, with Jim Finkle in Boston and Diane Bartz in Washington; Editing by Chizu Nomiyama, Matthew Lewis and Lisa Shumaker)