Home Depot, the nations largest home improvement retailer confirmed Thursday that a total of 56 million payment cards are at risk from a data breach, a substantially larger amount than when the Target retailer was hit.
Home Depot warned of a possible data breach a little over two weeks ago, and reports stated that hackers may have been on their network since April, which is a substantial amount of time considering Target’s data breach lasted only three weeks, in total, compromising over 40 million payment card numbers and information on over 70 million people.
Home Depot confirmed the data breach one week later noting that nearly all of its store may have been compromised in the breach.
In Home Depots most recent statement, the retailer overviews their investigation conducted by law enforcement with security firms FishNet Security and Symantec. The firms had concluded that the attackers had used custom-built malware to penetrate Home Depots network and payment systems.
“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” Home Depot wrote in its statement (PDF).
Home Depot confirmed the malware had been on their systems from April to September, and has since wiped their systems clean from both their U.S. and Canadian networks and Point-of-Sale (PoS) systems. Home Depot did not disclose details on how attackers compromised their network.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the statement read. “The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.”
The company stated they found no evidence of debit or credit PIN numbers begin compromised in the breach.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
Home Depot said it has completed an encryption rollout for payment data traveling through the point of sale in United States based stores. The company began the project in January, and just implemented the technology last Saturday. The company projects to implement the technology into their Canadian locations by early 2015. Home Depot also said they are working on rolling out chip-and-PIN implementations in their U.S. stores by the end of the year, considering the technology has been in place in their Canadian locations for some time.
Customers who used payment cards at the retailer have been offered free identity protection services and credit monitoring, Home Depot said. The data breach will not only be costly to its customers, but to the retail giant itself. The company released updated financial guidance and says experts incur a $62 million set back. This includes investigation costs, credit monitoring services, increased call center staffing, legal and professional services, among other costly outcomes. The company said that is expected to be offset by a $27 million reimbursement they will receive under the companies insurance coverage.