In wake of Target, Home Depot tight with info in breach response

WASHINGTON (Reuters) - Home Depot Inc is being tight-lipped about its possible credit card breach, the opposite approach to the one Target Corp took nearly a year ago.

Almost a week after security blogger Brian Krebs warned that Home Depot could be the victim of a breach extending to more than 2,000 U.S. stores, the home improvement chain has not confirmed or denied that one had occurred. The company said Tuesday that it was working with authorities to investigate the matter.

By contrast, Target made initial disclosures on its breach's scope but later revised them in a series of updates that confused and angered consumers, hitting sales and contributing to Chief Executive Officer Gregg Steinhafel's departure.

In its minimalist communication strategy, Home Depot likely is drawing lessons from Target, avoiding an incremental approach that risks giving the impression that it does not have a complete grasp of the problem, crisis management experts said.

"When you have criminal behaviour, you don't know right away what all the ramifications are," said Davia Temin, head of a consultancy focused on crisis and reputation management. "It's really hard when you are trying to overcommunicate not to misstate reality."

Target in December used its first disclosure to say 40 million credit and debit cards might have been compromised. A week later it said encrypted PIN data had been stolen.

And in January, it said data on up to 70 million people might have been taken.

Target spokeswoman Molly Snyder said the company had moved quickly to inform customers as facts were uncovered during a complex investigation.

To be sure, the situations facing Target and Home Depot are not exactly the same. While Target knew it was dealing with data theft, Home Depot has held on to the possibility that no breach has occurred.

"When you are in a situation like this you have a choice,"Home Depot CEO Frank Blake said at an investor conference on Thursday. "On the one hand, you can wait to communicate anything until you have the facts at hand, or you can communicate the facts as you know them. We chose the latter path."

Blake did not address Krebs' reporting, including his estimate on the scope of the possible breach.

Home Depot spokeswoman Paula Drake said on Monday that the company did not have any updates on the situation.

A spate of recent breaches has tested crisis communications across the retail sector. When such an incident happens, management must balance competing interests, from law enforcement, which typically pushes for sparse disclosure, to public relations officials, who want to say more.

Jason Maloni, a crisis communications specialist at public relations firm Levick, said Home Depot had done the right thing by waiting until it knows more before estimating the parameters of the breach or disclosing other details.

"I think everyone has learned from Target," he said.