The massive Home Depot data breach disclosed earlier this fall involved the theft of 56 million credit and debit card numbers, and now the company has revealed that the incident so far has cost it $43 million.
The costs are the result of both the investigation into the data breach as well as the recovery from it, including hiring security experts to find the details of the attack, bringing in more call center workers to handle consumer questions and paying for credit monitoring, among other things. In a financial filing on Tuesday, Home Depot said that as much as $15 million of those charges could be recoverable through insurance coverage.
The Home Depot breach is one of the larger such incidents on record, with 53 million email addresses also stolen by the attackers. Company officials said the incident was the result of attackers using compromised vendor credentials to gain access to the Home Depot network and then move internally. Ultimately, the attackers gained access to the point-of-sale system, where all the damage was done.
“The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada,” Home Depot said in a statement earlier this month.
In its quarterly financial filing on Tuesday, Home Depot officials said the company is still investigating the data breach, but that it has rolled out some security enhancements in the weeks after the compromise, with more to come.
“The Company has completed a major payment security project that provides enhanced encryption of payment card data at the point of sale in all of the Company’s U.S. stores, offering significant new protection for customers. The new security protection takes raw payment card information and scrambles it to make it unreadable to unauthorized users. Roll-out of enhanced encryption to Canadian stores will be completed by early 2015. The Company is also rolling out EMV chip-and-PIN technology in its U.S. stores, which adds extra layers of payment card protection for customers. Canadian stores are already enabled with EMV chip-and-PIN technology,” the report says.
Chip-and-PIN systems comprise a card with a chip inside and require a user to enter a PIN at the point of sale in order to complete the transaction. Such systems have been in use in Europe for several years but are just showing up in the United States. On top of the $43 million in costs associated with the breach Home Depot incurred in the third quarter, company officials say they could face further expenses from the incident in the coming months.
“In addition to the above expenses, the Company believes it is probable that the payment card networks will make claims against the Company. The ultimate amount of these claims will likely include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks assert they or their issuing banks have incurred,” the company’s report says.
“Although an independent third-party assessor found the portion of the Company’s network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the process of obtaining such certification for 2014 was ongoing at the time of the Data Breach and the forensic investigator working on behalf of the payment card networks may claim that the Company was not in compliance with those standards at the time of the Data Breach. As a result, the Company believes it is probable that the payment card networks will make claims against it and that the Company will dispute those claims.”
Officials said it’s also likely that Home Depot will incur significant legal and professional services expenses in future months and that “it is reasonably possible that the ultimate amount paid on these services and claims could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods.”