Skip to main content

Home Depot puts breach costs at $62 million; 56 million cards at risk


Atlanta -- Home Depot Inc. confirmed that some 56 million payment cards were likely compromised in a data breach that went undetected for five months. It is the largest known breach of a retail company’s computer network to date. By comparison, the widely publicized breach at Target last December affected 40 million credit and debit cards.

The home improvement giant said the malware used in the attack has been eliminated from its U.S. and Canadian networks. It also said it has completed a major payment security project providing enhanced encryption of payment data at the point of sale in its U.S. stores. The roll-out to Canadian stores will be completed by early 2015.

Home Depot’s new enhanced encryption technology takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers. The technology, provided by Voltage Security, has been tested and validated by two independent IT security firms, the retailer said.

Home Depot estimated the costs to investigate the breach, provide credit monitoring services to its customers, increase call center staffing, and pay legal and professional services would run $62 million, partially offset by $27 million it expects to be reimbursed by its insurance.

In a statement, Home Depot said the cyber criminals used “unique, custom-built malware” that has not been seen previously in other attacks to evade detection. The malware is believed to have been present between April and September 2014.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”

The company reiterated that there is evidence personal identification numbers for debit cards were compromised in the attack. It also restated that purchases made online and at stores in Mexico were not affected.

This ad will auto-close in 10 seconds