Two weeks after being notified it had been hacked, Home Depot said Thursday that cybercriminals made off with information from an estimated 56 million “unique” payment cards at its stores.
The breach, which took place between April and September, is one of the largest in the nation, topping the 40 million credit and debit card accounts compromised last year at retailer Target.
It also could cost Atlanta-based Home Depot dearly, analysts have said, noting that Target has paid out $148 million so far for its hack. Home Depot, however, said its third-quarter sales so far are meeting expectations. It estimated costs from the breach at $62 million.
The home improvement company said the malware used to infect its computers was like none seen in previous attacks, which have hit everything from retailers to banks to restaurant chains such as Athens-based Zaxby’s. In addition to Home Depot’s own IT team and security experts, the Secret Service was called in to investigate.
To avoid future attacks, the company said it has employed enhanced encryption at terminals that takes “raw payment card information and scrambles it to make it unreadable and virtually useless to hackers.”
It also will have completed installation of chip-and-PIN technology, which is said to better protect credit and debit information, by year’s end in U.S. locations.
David Barton, managing director of consulting firm UHY Advisors, said he was not surprised that cybercriminals found a way around known security measures. They continue to innovate, making efforts to beat them difficult.
“They yet again have found another way to cover their tracks so to speak,” he said. “It reinforces my message that this problem is not going to magically disappear.”
Blogger Brian Krebs, who broke the story of the breach on his website KrebsOnSecurity, reported Thursday that experts think the malware may have been installed mainly in registers in self-checkout lanes.
To mitigate the damage even before the company knew it had been breached, Home Depot quickly offered customers credit monitoring and said they would not be responsible for card charges relating to a hack. The company confirmed the breach a week later.
The struggles Target has experienced since its breach was announced — the company’s share price dropped and its chief executive officer lost his job — may not happen at Home Depot because consumers may be becoming more blase about breaches because of their frequency, experts said. And because the companies — and not consumers — usually pay the price for the hacks, customers shrug them off.
Home Depot said early estimates of the cost of monitoring customer credit, investigating the hack and other breach-related activities are $62 million, though insurance could cover $27 million of that.
At least two class-action lawsuits have been filed against Home Depot, suggesting that not all customers are willing to look the other way.
Home Depot, which first learned of the hack Sept. 2 from banks and law enforcement, said the malware was eliminated and affected terminals were taken out of service. The company also said it severed the hackers’ method of entry.
Despite the breach, the company stuck with its fiscal 2014 guidance of 4.8 percent sales growth. It raised its earnings per share expectations for the fiscal year to about $4.54 from the prior guidance of $4.52.
