Just when you thought retailer data breaches wouldn’t get much bigger, they did. Home-improvement retailer The Home Depot Inc. disclosed Thursday that the breach it confirmed Sept. 8 compromised 56 million payment cards between April and this month.
That means Home Depot’s breach affected 40% more cards than the 40 million Target Corp. confirmed were exposed in the breach it reported last December.
Home Depot’s breach was the result of malware placed on its point-of-sale systems at its U.S. and Canadian stores, which the Atlanta-based retailer said has now been removed. The company said it began investigating a possible breach Sept. 2 after receiving reports from banks and law-enforcement officials that its systems may have been attacked. The KrebsOnSecurity news site first reported a possible breach at Home Depot based on information from financial-institution sources about sales of stolen card numbers.
“Criminals used unique, custom-built malware to evade detection,” Home Depot said in a news release. “The malware had not been seen previously in other attacks, according to Home Depot’s security partners.” The company has called on the U.S. Secret Service and private data-security firms to investigate.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the release says, adding that “the hackers’ method of entry has been closed off.”
Home Depot continues to insist that it no PIN-debit numbers were compromised, although some news reports have said fraudsters using stolen card numbers from Home Depot successfully persuaded banks to issue new PINs, enabling them to make fraudulent ATM withdrawals. Home Depot, which has more than 2,000 stores, also said its stores in Mexico as well as its U.S. and Canadian e-commerce sites were not affected.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Frank Blake, chairman and chief executive, said in the release. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
Home Depot last Saturday completed the roll-out of a new data-encryption service from Voltage Security Inc. for its U.S. stores. Enhanced encryption for Canadian stores will be in place early next year.
The company also said it will have Europay-MasterCard-Visa (EMV) chip-card-reading terminals installed in all of its U.S. stores by year’s end, 10 months ahead of a major EMV deadline. In Canada, where EMV chip card payments are now the standard, all Home Depot stores already have chip card readers.
“These projects required writing tens of thousands of lines of new software code and deploying nearly 85,000 new PIN pads to stores,” the release says.
So far, Home Depot has incurred $62 million in breach-related costs, including estimates for investigations, providing credit-monitoring services to customers, increased call-center staffing, and legal and professional services. The company expects $27 million of the costs to be offset by insurance. It would not estimate future breach costs, including payment-network bills to reimburse card issuers for re-issuance expenses, or litigation.
In addition to the 40 million cards compromised in its breach, Target said the incident also exposed non-card data on 70 million customers. The breach has resulted in $236 million in expenses so far.
Merchant processor Heartland Payment Systems Inc. still holds the title for the worst payment card breach on record, with 130 million cards compromised. Retailer TJX Cos.’breach compromised at least 46 million cards and possibly as many as 94 million.