56M cards exposed at Home Depot is largest retail card breach ever

By Chad Hemenway on September 18, 2014
Home Depot, Elizabeth, NJ

Home Depot, Elizabeth, NJ

The Home Depot said it has eliminated the malware used to breach its point-of-sale systems but payment card information of about 56 million customers could have been exposed.

If the number of potentially affected payment cards remains at 56 million, the Home Depot breach could be considered the largest retail breach of payment card information in history, according to Advisen Loss Insight.

The home-improvement retailer said its ongoing investigation revealed that “criminals used unique, custom-built malware to evade detection,” and the malware used to breach its networks between April and September “had not been seen previously in other attacks.”

“The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all US stores,” Home Depot said in a statement.

There is no evidence that debit PIN numbers were compromised, Home Depot said. To any one who shopped with a payment card in its stories starting in April, the big-box chain is offering free identity protection services, including credit monitoring.

Brian Krebs, author of the blog Krebs on Security, was told by banks earlier this month that they were are seeing evidence Home Depot had been the victim of a breach of credit and debit cards, which have gone up for sale on underground websites. Nearly all of Home Depot’s 2,200 stores in the US looked to have been affected. In its latest release, the retailer did not specify how many stores were included in the hack.

Home Depot’s 56 million cards exposed eclipses Target’s late 2013 breach that exposed 40 million cards. The third-largest retailer later said other personally identifiable information of 70 million customers were exposed as well.

By affected count, Home Depot would slide in as the second-largest retail data breach–between Target and CVS.

The reason why the breach did not expose as many payments cards as initially suspected during the period April-September is due to the fact the malware was stored mainly on self-checkout lane systems, Krebs said his sources have told him.

About 10 days ago Home Depot confirmed it suffered a data breach of its payment systems but did not release much additional information. Home Depot said its investigation began September 2 immediately after it got reports of a possible breach, and the store’s internal IT team worked with other IT security firms, banking partners and the US Secret Service.

The company’s September 18 statement includes information regarding expected losses. Home Depot expects about $62 million in losses related to the data breach investigation, providing credit-monitoring services, increasing call-center staff, and legal and professional services.

Home Depot said the loss will be partially offset by $27 million in reimbursements and “probable recovery under its insurance coverage.”

The company is already facing a class action lawsuit filed on behalf of banks affected by costs of reissuing payment cards and notifying consumers.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or chemenway@advisen.com.