Home Depot began an investigation in early September after several banks reported that a large batch of stolen credit and debit cards could have originated from the company’s stores.
The retailer has now confirmed that its IT systems were breached, but claimed the attackers used “unique, custom-built malware” to evade detection.
“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” the retailer said in a statement.
According to investigators, the malware was active between April and September 2014. Home Depot said all the malware has now been removed from its US and Canadian networks.
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service,” the retailer said.
Data breach a costly lesson
The company said it has put security improvements in place, including enhanced encryption of payment data to all US stores. The roll-out to Canadian stores is set to be completed by early 2015.
READ MORE ON DATA BREACHES
- Racing Post warns users of website breach
- Lakeland warns customers of potential data breach
- Target data breach creates poor retail customer experience
- The ICO issues BYOD warning after breach
- 2013 Cost of Data Breach Study: UK
- London council gets £70,000 penalty for data breach
- EU data breach disclosures to be enforced soon
- Another online firm hit by data breach
“There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online,” the retailer said.
The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014 from April onwards.
“We apologise to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO at Home Depot.
The company said investigating the incident had cost $62m, $27m of which would be covered by insurance payments.
Home Depot is also facing a lawsuit in Canada, where as many as four million customers could have been affected.
US retailers have been slower to adopt the Chip and PIN technology used in the UK and most European countries because many US credit cards still lack microchips. The US payments industry has set a deadline of October 2015 to switch to Chip and PIN.
Home Depot said Chip and PIN technology, which began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all of its US stores by the end of 2014.
Retailers a favoured target of hackers
Trey Ford, global security strategist at Rapid7, said big retailers are great targets for sophisticated, well-resourced cyber criminals.
Big retailers are great targets for sophisticated, well-resourced cyber criminals
Trey Ford, Rapid7
“Criminals are able to invest time in researching their targets to find a way into the network. Once they are in, they stay quiet and fly unobserved under the radar, potentially for months at a time.
“It is really hard for organisations to detect them in many cases because they can be using stolen account details and look like a bona fide user.
“It is well worth the planning and patience involved for the attacker when the potential pay day is this significant,” he said.
Chris McIntosh, CEO of ViaSat UK, said the fact that over one-sixth of the US population has been affected proves that cyber attacks do not just happen to the occasional unlucky or gullible individual.
“The fact that the threat remained undetected for five months shows that a more robust approach is needed. The best starting point is to assume that threats are already on the network,” he said.
Organisations, especially those that act as the custodians of individuals’ data, should also ensure that all information is encrypted, said McIntosh.
“The fact that the in-store payment system failed to do this is unacceptable when fraud and cyber attacks are increasing in sophistication by the minute,” he said.