Home Depot confirms data theft for 56 million cards

Home Depot announced that data related to 56 million cards were stolen by cyber criminals.

Home Depot, the US largest home improvement retailer, confirms breach impacted 56 million customers.

On Thursday the company Home Depot released an update on the evolution of the investigation of the data breach suffered by the company.

Home Depot data breach is larger than the incident at Target retailer, which exposed exposed 40 million cards, and the investigation puts the extension of the incident behind TJX Cos.’s theft of 90 million records.

The company confirmed that a malware infected its POS network between April and September of 2014.

“The hacker’s method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.” states Home Depot.

As reported in the update, the company’s ongoing investigation has determined the following:

Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.
The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
The malware is believed to have been present between April and September 2014.

The statement issued by Home Depot reports elements of investigation conducted by the US Secret Service, Symantec, and internal security staff.

The threat actor used a “custom-built malware” to evade detection and payment card data of 56 million unique payment cards are at risk of exposure. Experts involved in the investigation haven’t provided further information related to attacks, it’s not clear how the threat actors had access to the Home Depot network.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so,” said Frank Blake, chairman and CEO.

To improve the security of payment processes, Home Depot has announced that the new payment security protection is based on strong encryption to secure credit card data, the company revealed to have chosen encryption technology provided by the Voltage Security firm.

The Voltage solution was already deployed in all US stores last week, meanwhile, it will be extended to stores located in Canada within early 2015. Home Depot will be rolling out more than 85,000 PIN pads to stores which will use them to unlock payment details on the card.

Home Depot confirmed its sales-growth estimates for the fiscal year, despite the company’s fiscal 2014 outlook includes estimates for the cost to investigate the incident and related activities (e.g. providing credit monitoring services to its customers, increasing call center staffing).

The company admitted it’s not yet able to estimate overall costs for liabilities related to payment card networks for reimbursements of credit card fraud and card re-issuance costs. However, costs associated with the incident so far have reached approximately $62 million.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Home Depot, data breach)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.