Skip to main content

56 Million Payment Cards Stolen in Home Depot Breach

More than 56 million credit and debit cards were stolen in the recent data breach at Home Depot, which has cost the home improvement retailer over $62 million dollars. As projected, this breach may be the largest theft ever of credit cards from a single company, bigger even than the December 2013 breach at Target stores, which resulted in 40 million payment cards being stolen alongside contact information on 70 million Target customers.

A statement released by Home Depot also states that the malware used in the thefts had been completely removed from all U.S. and Canadian stores. U.S. stores have also implemented a new "enhanced payment protection" system for encrypting customers' credit- and debit-card data. Canadian stores will get the system by early 2015.

MORE: How to Survive a Data Breach 

"Criminals used unique, custom-built malware to evade detection," Home Depot's statement says. "The malware had not been seen previously in other attacks, according to Home Depot's security partners."

Some security experts had believed that the malware used in the Home Depot hack was a variant of the malware family known as BlackPOS, or sometimes Kartosha (KAPTOXA in Cyrillic). BlackPOS was used in the Target breach, which led to speculation that the same cybercriminal group was behind both Target's and Home Depot's breaches.

Home Depot also says that its new payment protection system works by "tak[ing] raw payment card information and scrambl[ing] it to make it unreadable and virtually useless to hackers." The system is provided by Cupertino, California-based enterprise security company Voltage Security Inc.

In addition, Home depot says it will install "chip-and-PIN" card readers, already installed in Canadian stores, in its U.S. locations by the end of the year. Chip-and-PIN payment cards are more secure because they can store payment data not on a magnetic stripe as do most current U.S. credit cards, but on a data chip embedded in the card.

Chip-and-PIN cards are already standard in most of Europe. Visa and MasterCard have said that they will be switching to chip-and-PIN cards by October 2015, and that all U.S. retailers have until then to install the necessary point-of-sale devices in their stores.

News that Home Depot had possibly suffered a data breach first broke on September 2, thanks to independent security researcher Brian Krebs. Home Depot did not confirm the breach until September 8.

Overall, the breach has cost Home Depot $62 million for the cost of the investigation, the credit monitoring services it is offering to affected customers, increased staffing for customer outreach and other legal and professional services. Home Depot says that it expects to get $27 million back in insurance coverage, and also assured investors that it's still on track to achieve its third-quarter sales goals.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.