Home Depot Admits 56 Million Payment Cards At Risk After Cyber Attack

09/18/2014 04:52 pm ET | Updated Sep 21, 2014

The Home Depot said Thursday that about 56 million customer debit and credit cards were put at risk after hackers broke into the company's payment systems.

In a statement, the home improvement retailer said the malicious software used in the attack had been removed from its computer system in the United States and Canada and that the company had enhanced encryption at point-of-sale terminals at its U.S. stores.

The number of cardholders affected in the Home Depot attack marks what is likely the largest breach ever of a retailer's computer system, surpassing the 40 million cardholders who were affected when Target was hacked last fall.

Home Depot's investigation found the hackers escaped detection by using custom-made malware that had never been seen before. Such malware -- which hackers call "zero days" because that's how long it's been known -- can't be spotted by traditional anti-virus software.

Home Depot said the malware that stole the credit card data resided on its computer systems from April until September of this year -- far longer than the attack against Target, which went on for about three weeks.

Home Depot said there was no evidence that debit card PIN numbers were compromised or that the breach impacted stores in Mexico or customers who shopped online.

The retailer is offering free credit monitoring to customers who used a payment card at a Home Depot store since April. Home Depot has 1,977 stores in the United States and 180 in Canada.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Home Depot CEO Frank Blake said in a statement. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”

The company said it has finished installing security software that scrambles credit card data to make it unreadable to hackers. The rollout of the software began in January, but it wasn't completed in Home Depot's U.S. stores until last Saturday.

The company also said it will finish setting up more secure credit card readers in all of its U.S. stores by the end of the year. The new technology will be able to read a new type of credit card that uses a combination of an embedded microchip and a code to authorize transactions. "Chip and pin" technology, as it is known, is supposed to make it much more difficult for thieves to use stolen credit card data to make counterfeit cards. All merchants and banks are under an October 2015 deadline to upgrade to the more secure credit cards.

The Home Depot breach is just the latest in a string of cyber attacks against major retailers this year. Target, Sally Beauty, Neiman Marcus and Michaels have all also been hacked.

That list is expected to grow even longer. Last month, the Department of Homeland Security warned that more than 1,000 U.S. retailers may have been infected with malware lurking in their payment systems.

While Home Depot confirmed the size of the breach Thursday, many questions remain unanswered, including how the hackers found their way into the retailer's computer system -- and who they are.

Investigators believe the thieves may be from Eastern Europe because the malware they used in the attack had links to websites referencing the United States' role in the conflict in Ukraine, according to The New York Times.

While the breach affected 56 million cards, it could have been even worse. The hackers installed malware mostly on payment systems in Home Depot's self-checkout lanes, suggesting they likely stole fewer cards than they could have if they had targeted regular checkout lanes, according to cybersecurity reporter Brian Krebs, who cited sources close to the investigation.

CONVERSATIONS