SECURITIES AND EXCHANGE COMMISSION
WASHINGTON, D.C. 20549
Pursuant to Section 13 or 15(d) of the
Securities Exchange Act of 1934
Date of Report (Date of Earliest Event Reported): November 6, 2014
THE HOME DEPOT, INC.
(Exact Name of Registrant as Specified in Charter)
(State or Other Jurisdiction
2455 Paces Ferry Road, N.W., Atlanta, Georgia 30339
(Address of Principal Executive Offices) (Zip Code)
(Registrant’s Telephone Number, Including Area Code)
(Former Name or Former Address, if Changed Since Last Report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2 below):
¨ Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
¨ Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
¨ Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
¨ Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))
Regulation FD Disclosure.
In connection with the update on its data breach discussed in Item 8.01 below, on November 6, 2014, The Home Depot, Inc. confirmed its previous fiscal 2014 sales growth guidance of approximately 4.8 percent and its fiscal 2014 diluted earnings per share growth guidance of $4.54, an increase of approximately 21 percent, which includes estimates for the cost to investigate the data breach, provide credit monitoring services to customers, increase call center staffing, and pay legal and professional services, all of which are expensed as incurred.
The Company's fiscal 2014 diluted earning-per-share guidance does not include an accrual for other yet-to-be determined estimable and probable losses related to the breach. At this time, other than the breach-related costs contained in the Company's fiscal 2014 diluted earnings-per-share guidance above, the Company is not able to estimate the costs, or a range of costs, related to the breach. Costs related to the breach may include liabilities to payment card networks for reimbursements of payment card fraud and card reissuance costs; liabilities related to the Company's private label credit card fraud and card reissuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities. These costs may have a material adverse effect on The Home Depot's financial results in the fourth quarter of fiscal 2014 and/or future periods.
The information contained in this Item 7.01 is being furnished and shall not be deemed filed for purposes of Section 18 of the Securities Exchange Act of 1934, as amended, or otherwise subject to the liabilities of Section 18. Furthermore, the information contained in this Item 7.01 shall not be deemed to be incorporated by reference into any registration statement or other document filed pursuant to the Securities Act of 1933, as amended.
On November 6, 2014, The Home Depot®, the world's largest home improvement retailer, disclosed additional findings related to the recent breach of its payment data systems. The findings are the result of weeks of investigation by The Home Depot, in cooperation with law enforcement and the Company's third-party IT security experts.
Additional Investigation Details Disclosed
In addition to details previously released, the investigation to date has determined the following:
Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the Company's point-of-sale devices.
The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
In addition to the previously disclosed payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information. The Company is notifying affected customers in the U.S. and Canada. Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.
As previously disclosed, the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot's security partners. As the Company announced on September 18, the hackers' method of entry has been closed off and the malware has been eliminated from the Company's systems.
The Home Depot's investigation, cooperation with law enforcement and efforts to further enhance its security measures are ongoing. The Company does not anticipate further updates on the breach outside of its quarterly financial disclosures.
The Home Depot continues to offer free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.
Cyber Security Enhancements
The Company has implemented enhanced encryption of payment data in all U.S. stores. The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers. Home Depot's encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms.
Though initially launched in January 2014 as part of a strategic plan to expand security beyond those protections already in place, implementation of the project was accelerated after the breach and completed in all U.S. stores on September 13, 2014. The rollout to Canadian stores will be completed by early 2015.
EMV Chip-and-PIN Technology
The Company is rolling out EMV chip-and-PIN technology, which adds extra layers of payment card protection for customers. Chip-and-PIN technology was deployed to Canadian stores in 2011. Launched as a project for U.S. stores in January 2013, the project will be completed ahead of the payment industry’s deadline.
Certain statements contained in this Form 8-K constitute "forward-looking statements" as defined in the Private Securities Litigation Reform Act of 1995. These forward-looking statements are based on the Company's current assumptions and expectations (which may change) and may relate to, among other things, (a) the impact of the breach on the Company's results of operations, including (i) costs related to the breach (including any costs not currently reflected in the Company's guidance), the related ongoing investigation and resulting liabilities, (ii) the outcome of the Company's ongoing investigation, including the potential discovery of new information related to the breach, such as the discovery that additional information has been stolen, and customers' and other stakeholders' reaction to that new information, (iii) the Company's ability to recover any proceeds under its insurance policies, (iv) the uncertainty regarding the outcome of any current or future civil litigation, governmental investigations and enforcement proceedings, and their impact on the Company's financial performance and operations, (v) loss of customer confidence in the Company's ability to protect their information and the adverse impact this loss of confidence may have on sales, and (vi) the Company's ability to effectively or timely implement adequate payment security enhancements and other remediation efforts and the Company's potential inability to prevent future attacks; (b) the demand for the Company's products, services and credit offerings; (c) net sales growth; (d) comparable store sales; (e) state of the credit markets; (f) continuation of share repurchase programs at previously announced levels; (g) net earnings performance; (h) earnings per share; (i) guidance for fiscal 2014 and beyond; and (j) financial outlook. Forward-looking statements are based on currently available information and the Company's current assumptions, expectations and projections about future events. You should not rely on the Company's forward-looking statements. These statements are not guarantees of future performance and are subject to future events, risks and uncertainties – many of which are beyond the Company's control or are currently unknown to the Company – as well as potentially inaccurate assumptions that could cause actual results to differ materially from the Company's expectations and projections. These risks and uncertainties include but are not limited to those described in Item 1A, “Risk Factors,” and elsewhere in the Company's Annual Report on Form 10-K for its fiscal year ended February 2, 2014, in its subsequent Quarterly Reports on Form 10-Q and in any other materials or reports it files with the Securities and Exchange Commission (the "SEC").
Forward-looking statements speak only as of the date they are made, and the Company does not undertake to update these statements other than as required by law. You are advised, however, to review any further disclosures the Company makes on related subjects in its periodic filings with the SEC.
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
THE HOME DEPOT, INC.
/s/ Teresa Wynn Roseborough
Teresa Wynn Roseborough
Executive Vice President, General Counsel & Corporate Secretary
Date: November 6, 2014