Home Depot Security Breach Affects 56M Credit Card Holders

The retailer said that the data breach, caused by malware that has never been seen before, will cost an estimated $62 million.

Home Depot data breach

Home Depot, providing new details about its recently disclosed data breach, publicly revealed Sept. 18 how many consumers may have been impacted.

Executives at Home Depot suspect that 56 million unique credit cards are at risk as a result of the breach. The retailer is now also confirming that the breach lasted from April to September of this year.

Home Depot began investigating reports of a possible data breach in early September. On Sept. 8, the retailer confirmed publicly that a breach had occurred. At the time, Home Depot did not disclose how many consumers were at risk or how many of its 2,266 stores were involved in the breach.

In its Sept. 18 update, Home Depot still had not provided full details on how many of its stores were affected, though the company is now offering free credit monitoring and identity protection services to any customer who used a credit card at any Home Depot location.

Another detail that is still unknown is the exact malware that was used in the attack. Early on, there was some speculation that a malware family known as Backoff had caused the Home Depot breach. Since August, the U.S. government has been warning about the dangers of Backoff malware as a threat to point-of-sale (POS) systems. The government suspects more than 1,000 retailers of being infected with Backoff, though Home Depot is not one of them.

"In this attack, criminals used unique, custom-built malware to evade detection," Home Depot spokesperson Paul Drake wrote in an email to eWEEK. "The malware had not been seen previously in other attacks, according to our security partners."

That also means Home Depot was not likely attacked by the same malware that impacted Goodwill Industries, which also confirmed this month that it had been breached by POS malware. In Goodwill's case, the malware is known as rawpos and is not related to Backoff.

According to Home Depot, only credit cards were impacted, and there is no evidence that debit card PINs were stolen. In order to further boost its security, Home Depot has been working on a data encryption project that began in January 2014 but wasn't deployed in all U.S stores until Sept. 13. Home Depot's Canadian stores will have the new encryption technology in place by early 2015. As part of the new security measures, Home Depot noted that it is deploying approximately 85,000 new PIN pads to its retail locations.

Home Depot has stated that it expects costs associated with the breach to be approximately $62 million. The retailer expects to be able to recover $27 million of the breach costs from insurance coverage it currently holds.

Home Depot's breach cost estimates pale in comparison to those estimated by Target, which was the victim of a data breach in December 2013. Target estimated its breach-related costs to be $148 million and expects to recover $38 million from its insurance coverage.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.