Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Home Depot

Home Depot: Card breach put 56M cards at risk

Elizabeth Weise and Chris Woodyard
USA TODAY
Shoppers walk through the aisles at a Home Depot store in Williston, Vt., in 2010. The Home Depot said Sept. 18 that it eliminated malware from its U.S. and Canadian networks that affected 56 million payment cards from April to September.

Home Depot said Thursday that the security breach it reported this month allowed cyberthieves to cull information from 56 million credit and debit cards, far worse in terms of data loss than a similar attack late last year on the Target store chain.

The malicious software, or malware, was placed on Home Depot point-of-sale terminals, or cash registers, from April to September, the company said in a news release. The malware was found in Home Depot stores in the USA and Canada.

The number of cards involved in Home Depot's loss dwarfs the 40 million Target says were compromised over a three-week period. Target said that breach also resulted in the theft of personal data for up to 70 million customers — including names, phone numbers, mailing addresses or email addresses — but the amount of overlap is unknown.

The Home Depot and Target cases show that big-box retailers are particularly vulnerable to cyberthieves.

Thieves "are able to invest time in researching their targets to find a way into the network," says Trey Ford, a global security strategist at the security firm Rapid7, in a statement. "Once they're in, they stay quiet and fly unobserved under the radar."

Brian Krebs, who first broke news of the breach in his KrebsOnSecurity blog, reported that the malware was installed in terminals in self-service aisles, which limited the data loss. Though both credit and debit information was taken, the chain says, the thieves would have been unable to retrieve PIN numbers used on the debit cards.

Home Depot says the criminals "used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks," according to Home Depot's security partners.

    The malware has been eliminated, Home Depot said. All infected terminals were taken out of service. Home Depot offers credit monitoring to affected customers.

    The news was announced after the close of trading. Home Depot said the breach has cost $62 million, and that figure could climb in the fourth quarter. Target reported in August that its breach cost $146 million after insurance reimbursements.

    Home Depot shares closed at $92.09, up 87 cents, or 0.95%, on Thursday.

    Featured Weekly Ad