The U.S. Federal Trade Commission should investigate security practices at Home Depot following media reports that the hardware retailer's payment systems have been breached, two U.S. senators said Tuesday.
Home Depot's U.S. and Canadian customers who shopped in stores since April may be affected by the breach, the company said Monday, following news reports of the compromise.
The breach raises questions about the retailer's security measures, Senators Richard Blumenthal, a Connecticut Democrat, and Ed Markey, a Massachusetts Democrat, wrote in a letter to the FTC.
"The millions of Americans who today are wondering whether their personal information is in the hands of hackers and thieves deserve prompt notification from Home Depot, and the FTC should do everything in its power to protect consumers," the senators wrote.
Reports of long-standing vulnerabilities at Home Depot's website "raise serious concerns" about the company's responsiveness to cyberattacks, the letter continued.
"Given the unprecedented scope and extended duration of Home Depot's data beach, it appears that Home Depot may have failed to employ reasonable and appropriate security measures," the senators wrote. "Furthermore, it is troubling that Home Depot has not yet been able to confirm that it has successfully shut down the data breach."
The FTC has investigated several data breaches in recent years, and in some cases, has required breached companies to implement new cybersecurity programs and submit to independent security audits.
Home Depot doesn't believe customers who shopped at HomeDepot.com, or at its physical stores in Mexico, were affected by the breach, the company said. Customers won't be responsible for fraudulent charges related to the breach, the company said Monday.
Home Depot didn't immediately respond to a request for comments on the senators' letter.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is firstname.lastname@example.org.