Home Depot estimates data on 56 million cards stolen by cybercriminals
The cybercriminals that compromised Home Depot’s network and installed malware on the home-supply company’s point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.
In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” Home Depot said in its statement. “The hacker’s method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all US stores.”
As part of its efforts, the company has completed a “major payment security project” to provide better encryption at the point of sale in US stores, the statement said. Security experts recommend that retailers set their point-of-sale systems to encrypt data at the check-out counter to prevent malware from gathering the information. It’s not known whether Home Depot is referring to such a security measure.
The company will be rolling out more than 85,000 PIN pads to stores as part of its update to a more secure chip-and-PIN method of payment, which uses a numerical password to unlock payment details on the card.
Home Depot has not found any evidence that the PINs used to secure debit cards had been compromised in the breach.
The breach may have only impacted self-checkout terminals, according to an article published earlier on Thursday by security journalist and blogger Brian Krebs.
Frank Blake, Home Depot’s chairman and CEO, apologized to customers and stressed that any fraudulent charges will be handled by the company or financial institutions.
The number of payment cards impacted by the Home Depot breach made it larger than the 40 million card accounts put at risk in the Target breach that occurred last November and December. However, the cybercriminals that infiltrated Target also stole details on some 70 million of the retailer’s customers.