Pierluigi Paganini September 19, 2014

Home Depot announced that data related to 56 million cards were stolen by cyber criminals.

Home Depot, the US largest home improvement retailer, confirms breach impacted 56 million customers.

On Thursday the company Home Depot released an update on the evolution of the investigation of the data breach suffered by the company.

Home Depot data breach is larger than the incident at Target retailer, which exposed exposed 40 million cards, and the investigation puts the extension of the incident behind TJX Cos.’s theft of 90 million records.

The company confirmed that a malware infected its POS network between April and September of 2014.

“The hacker’s method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.” states Home Depot.

As reported in the update, the company’s ongoing investigation has determined the following:

• Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.
• The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
• The malware is believed to have been present between April and September 2014.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so,” said Frank Blake, chairman and CEO.

To improve the security of payment processes, Home Depot has announced that the new payment security protection is based on strong encryption to secure credit card data, the company revealed to have chosen encryption technology provided by the Voltage Security firm.

The Voltage solution was already deployed in all US stores last week, meanwhile, it will be extended to stores located in Canada within early 2015. Home Depot will be rolling out more than 85,000 PIN pads to stores which will use them to unlock payment details on the card.

Home Depot confirmed its sales-growth estimates for the fiscal year, despite the company’s fiscal 2014 outlook includes estimates for the cost to investigate the incident and related activities (e.g. providing credit monitoring services to its customers, increasing call center staffing).

The company admitted it’s not yet able to estimate overall costs for liabilities related to payment card networks for reimbursements of credit card fraud and card re-issuance costs. However, costs associated with the incident so far have reached approximately $62 million.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Home Depot, data breach)