Home Depot confirmed this afternoon that the breach of its systems put approximately 56 million unique payment cards at risk, considerably more than the Target data breach.
The giant home retailer disclosed on Sept. 2 that hackers had been on its network since April; by comparison, the Target breach which resulted in the loss of 40 million cards and the personal information of 70 million individuals, lasted three weeks during the 2013 holiday shopping season.
In a statement, Home Depot said that the investigation of the breach conducted by law enforcement and security firms FishNet Security and Symantec, concluded that the hackers used custom-built malware to penetrate its networks and payment systems.
“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” Home Depot said in its statement.
Home Depot said that the malware was on its systems from April to September, and has since been wiped clean from its U.S. and Canadian networks and payment systems. Home Depot did not say how the hackers got onto its network.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the statement said. “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”
The company reiterated it found no evidence that debit card PIN numbers were compromised.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO in a statement. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
Home Depot said it completed an encryption rollout for payment data at point of sale in U.S. stores. The project began in January and was completed last Saturday; Canadian stores will have the technology in place by early 2015. Home Depot said it has also accelerated chip-and-PIN implementations and expects to have those in all U.S. stores by the end of the year as well.
Customers who used a payment card at the retailer will have access to free identity protection services and credit monitoring, Home Depot said. For the retailer, the breach will be a costly experience. The company released updated financial guidance that says it expects to incur a $62 million cost for the investigation, credit monitoring services, increased call center staffing, legal and professional services. That is expected to be offset by a $27 million reimbursement under its insurance coverage, the company said in its statement.