Home Depot confirms breach impacted 56 million customers

An update on the status of the investigation confirms impact figures

home depot sign
Credit: Shutterstock

On Thursday, Home Depot released an update on the status of their breach investigation. The update didn't include many details, but the retailer did confirm that the incident impacted 56 million customers, making their breach larger than the incident at Target.

In a statement Home Depot said that the company's investigation, with includes elements of the US Secret Service, Symantec, and their own internal teams, has determined that "unique, custom-built malware" was used in order to help the criminals evade detection. That investigators are calling the malware new puts to rest speculation that said it was related to BlackPOS, the malware used during the Target breach.

However, the largest bit of news from the statement is that the attack itself "is estimated to have put payment card information at risk for approximately 56 million unique payment cards."

Target's breach only exposed 40 million cards, but the attackers spent less time on the network in order to obtain them. Home Depot says that the malware is believed to have been active on their POS network between April and September of 2014.

The method used by the attackers to gain access to the Home Depot network has been closed off, but the company didn't explain how said access was achieved.

"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges. From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so," said Frank Blake, chairman and CEO.

Home Depot says they have turned to Voltage Security in order to better protect card data going forward. Given Voltage's product offerings, it's likely that Home Depot will be leveraging tokenization.

The retailer said that Voltage's products were fully deployed in all U.S. stores last week. Stores in Canada will be completely updated by early 2015. In addition, plans to deploy EMV (Chip & Pin) technology will be complete by the end of the year, as previously stated.

Earnings wise, Home Depot says that they cannot estimate costs associated with the breach for Q4 2014 and how they'll impact future earnings impacts. However, costs associated with the breach so far have reached approximately $62 million.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
New Year's resolution: ‘I will eliminate passwords’ in 2017
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.