Hackers strike largest US hardware store, steal credit card data

HRM Enterprises, Inc. owner of the US's largest independent hardware store, was hit by a cyberattack resulting in the credit cards of more than 40K clients being stolen.

HRM Enterprises, Inc is a family of companies centered around the country’s largest independent hardware store and is based in Hartville, Ohio.

A notice to affected clients on July 26th stated that HRM’s ecommerce platform provider, Commerce V3, was breached and HRM’s clients’ data was affected.

The security breach affected the payment card information of customers who made purchases from the ecommerce websites of two HRM companies: Hartville Hardware and Lehman's.

The Office of the Maine Attorney General states that 43,092 people were affected by the breach in total.

Hackers had access for over a year

On June 8th, 2023, HRM’s ecommerce platform provider Commerce V3 notified the company about a breach in its systems.

An unauthorized actor reportedly accessed HRM’s systems between October 24th, 2021, and December 14th, 2022, and “acquired payment card information entered within the platform during that timeline.”

“CommerceV3 notes that it worked with the card companies to identify the payments entered during this window,” reads the company’s statement to affected clients.

Credit card information compromised

The potentially impacted information included customers’ names, full payment card numbers, CVV codes, and expiration dates for each purchase. Sensitive data compromised also includes emails and billing addresses.

According to the company, Social Security Numbers (SSNs) were not breached. Neither CommerceV3 nor HRM requires or stores SSNs for ecommerce transactions.

HRM hasn’t offered credit monitoring or identity theft protection services, but is encouraging affected clients “to remain vigilant for incidents of payment card fraud,” monitor their account statements, and report any suspicious activity to the relevant financial institution or law enforcement agency.