Home Depot confirms data theft for 56 million cards

Pierluigi Paganini September 19, 2014

Home Depot announced that data related to 56 million cards were stolen by cyber criminals.

Home Depot, the US largest home improvement retailer, confirms breach impacted 56 million customers.

On Thursday the company Home Depot released an update on the evolution of the investigation of the data breach suffered by the company.

Home Depot data breach is larger than the incident at Target retailer, which exposed exposed 40 million cards, and the investigation puts the extension of the incident behind TJX Cos.’s theft of 90 million records.

home depot data-breach

The company confirmed that a malware infected its POS network between April and September of 2014.

“The hacker’s method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.” states Home Depot.

As reported in the update, the company’s ongoing investigation has determined the following:

  • Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.
  • The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
  • The malware is believed to have been present between April and September 2014.
The statement issued by Home Depot reports elements of investigation conducted by the US Secret Service, Symantec, and internal security staff.
The threat actor used a “custom-built malware” to evade detection and payment card data of 56 million unique payment cards are at risk of exposure. Experts involved in the investigation haven’t provided further information related to attacks, it’s not clear how the threat actors had access to the Home Depot network.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so,” said Frank Blake, chairman and CEO.

To improve the security of payment processes, Home Depot has announced that the new payment security protection is based on strong encryption to secure credit card data, the company revealed to have chosen encryption technology provided by the Voltage Security firm.

The Voltage solution was already deployed in all US stores last week, meanwhile, it will be extended to stores located in Canada within early 2015. Home Depot will be rolling out more than 85,000 PIN pads to stores which will use them to unlock payment details on the card.

Home Depot confirmed its sales-growth estimates for the fiscal year, despite the company’s fiscal 2014 outlook includes estimates for the cost to investigate the incident and related activities (e.g. providing credit monitoring services to its customers, increasing call center staffing).

The company admitted it’s not yet able to estimate overall costs for liabilities related to payment card networks for reimbursements of credit card fraud and card re-issuance costs. However, costs associated with the incident so far have reached approximately $62 million.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Home Depot, data breach)

you might also like

leave a comment