Home Depot: 56 Million Cards BreachedRetailer Says Custom-Built Malware Evaded Detection
See Also: HIPAA Audits: A Revised Game Plan
The incident is larger than the Target Corp. breach, where 40 million credit and debit card details were compromised, but falls shy of the 2008 Heartland breach, in which an estimated 100 million cards were compromised.
Home Depot, in an updated statement Sept. 18, says that to evade detection, the criminals involved in the cyber-attack against it used custom-built malware, which has not been used in other attacks. The malware, which was present on Home Depot's payment systems between April and September, has since been eliminated from its U.S. and Canadian networks, the retailer says.
The company also has completed a major payment security project that provides enhanced encryption of payment data at the point of sale in the company's 1,977 U.S. stores.
The retailer's enhanced payment security is from Voltage Security. The encryption project, launched in January, was completed in all U.S. stores on Sept. 13. The project required writing tens of thousands of lines of new software code and deploying nearly 85,000 new PIN pads to stores, Home Depot says.
Rollout of enhanced encryption to 180 Canadian stores will be completed by early 2015, the company says. All Canadian stores are already equipped with EMV technology; U.S. stores will have EMV in place by the end of this year.
Home Depot says there's no evidence that debit PINs were compromised in the breach. Stores in Mexico, and customers who shopped online in the U.S. or Canada, were not affected the breach, the company adds.
All individuals affected by the breach will receive free identity theft protection services, including credit monitoring, for one year, Home Depot says.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," says Frank Blake, chairman and CEO. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
Home Depot estimates it will spend $62 million in fiscal 2014 for breach-related costs, including investigating the incident, providing credit monitoring services to its customers, increasing call center staffing, and paying legal and professional services. The company expects its insurance to cover about $26 million of that expense.
Large Retailers Remain Hacking Targets
Trey Ford, global security strategist at data security firm Rapid7, says retailers who process millions of card transactions per year remain natural targets for patient hackers, given the potential profits to be gained by reselling stolen card data on the black market. "It's well worth the planning and patience involved for the attacker when the potential pay day is this significant," Ford says. "We can expect other large global retailers, such as Wal-Mart, Carrefour, Tesco and Metro AG, will be paying close attention as the investigation continues."