Home Depot hackers got 53 million email addresses

Atlanta –- In addition to obtaining data from 56 million payment cards between April and Sept. 2014, hackers who infiltrated the network of The Home Depot Inc. also obtained the email addresses of 53 million customers.



In a statement on its website, the retailer said the files containing the email addresses, which were separate from the payment card files, did not contain passwords or other sensitive information, but customers should still be on guard against phishing scams.



The Home Depot said it will notify affected customers in the U.S. and Canada. In addition, the retailer provided an update on the ongoing investigation into breach it is conducting with law enforcement and third-party IT experts. Hackers used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.



These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.



In response, Home Depot has accelerated the rollout of enhanced payment data encryption technology from Voltage Inc., started in Jan. 2014. The rollout was completed in all U.S. stores by Sept. 13, 2014 and will be completed in all Canadian stores by early 2015.



The company is also rolling out EMV chip-and-PIN technology, which was deployed to Canadian stores in 2011. Launched as a project for U.S. stores in January 2013, the project will be completed ahead of the payment industry’s Oct. 2015 deadline. Security experts told The Home Depot he malware used in the attack had not been seen before and was designed to evade detection by antivirus software. As of Sept. 18, the hackers’ method of entry has been closed off and the malware eliminated.



Home Depot said it does not expect any additional disclosures on the breach outside of regular quarterly financial releases. The retailer also reaffirmed its third quarter guidance of 4.8% sales growth and earnings per share growth guidance of $4.54, approximately 21%. However, the EPS guidance does not include breach-related costs, which Home Depot says it has not yet been able to estimate. The breach may affect Home Depot financial results in the fourth quarter and in future periods.