Home Depot confirms 56 million payment cards affected by cyber breach

US retailer Home Depot has confirmed that a cyber attack compromised about 56 million payment cards.

US retailer Home Depot has confirmed that a cyber attack compromised about 56 million payment cards.

The announcement revealed that the breach of customer payment card information is greater than the recent Target breach of 40 million card records that led to the resignation of the CIO and CEO.

The Home Depot breach is now second only to the theft of 130 million payment card details from Heartland Payment Systems in 2009.

Home Depot began an investigation in early September after several banks reported that a large batch of stolen credit and debit cards could have originated from the company’s stores.

The retailer has now confirmed that its IT systems were breached, but claimed the attackers used “unique, custom-built malware” to evade detection.

“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” the retailer said in a statement.

According to investigators, the malware was active between April and September 2014. Home Depot said all the malware has now been removed from its US and Canadian networks.

“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service,” the retailer said.

Data breach a costly lesson

The company said it has put security improvements in place, including enhanced encryption of payment data to all US stores. The roll-out to Canadian stores is set to be completed by early 2015.

“There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online,” the retailer said.

The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014 from April onwards.

“We apologise to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO at Home Depot.

The company said investigating the incident had cost $62m, $27m of which would be covered by insurance payments.

Home Depot is also facing a lawsuit in Canada, where as many as four million customers could have been affected.

US retailers have been slower to adopt the Chip and PIN technology used in the UK and most European countries because many US credit cards still lack microchips. The US payments industry has set a deadline of October 2015 to switch to Chip and PIN.

Home Depot said Chip and PIN technology, which began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all of its US stores by the end of 2014.

Retailers a favoured target of hackers

In recent months, data breaches have been reported by large US retailers TargetNeiman Marcus, Sears, Michaels and Supervalu, affecting millions of US cardholders.

Trey Ford, global security strategist at Rapid7, said big retailers are great targets for sophisticated, well-resourced cyber criminals. 

Big retailers are great targets for sophisticated, well-resourced cyber criminals

Trey Ford, Rapid7

“Criminals are able to invest time in researching their targets to find a way into the network. Once they are in, they stay quiet and fly unobserved under the radar, potentially for months at a time.

“It is really hard for organisations to detect them in many cases because they can be using stolen account details and look like a bona fide user. 

“It is well worth the planning and patience involved for the attacker when the potential pay day is this significant,” he said.

Chris McIntosh, CEO of ViaSat UK, said the fact that over one-sixth of the US population has been affected proves that cyber attacks do not just happen to the occasional unlucky or gullible individual.

“The fact that the threat remained undetected for five months shows that a more robust approach is needed. The best starting point is to assume that threats are already on the network,” he said.

Organisations, especially those that act as the custodians of individuals’ data, should also ensure that all information is encrypted, said McIntosh.

“The fact that the in-store payment system failed to do this is unacceptable when fraud and cyber attacks are increasing in sophistication by the minute,” he said.

Read more on Privacy and data protection