US chain Home Depot now has the dubious honor of falling victim to the largest retail card breach on record, after it revealed that information from approximately 56 million cards had been put at risk from an attack disclosed at the beginning of September.
In its first major missive since the incident, Home Depot said that since being notified about a potential incident on September 2, its IT security team had been working “round the clock” with security vendors, banking partners and the Secret Service.
The cybercriminal gang which launched the attack apparently used “custom-built malware” never before seen to evade detection, installing it back in April.
The release continued:
“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements. The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all US stores.”
PINs, Home Depot’s Mexico stores and online shoppers at HomeDepot.com and HomeDepot.ca are thought not to have been compromised.
The firm said it now applies enhanced encryption to payment card data. The project was actually started in January but has taken until now to complete in all US stores.
Chip and PIN technology will also be rolled out by the end of the year in the US, although it’s already available in Canada, Home Depot said.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO, in a prepared statement.
“From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
If Home Depot’s sums add up, the breach trumps that of Target last year, which exposed data on 40 million cardholders.
Trey Ford, global security strategist at Rapid7, argued that big name retailers like Home Depot represent an attractive target for cybercriminals.
“They are able to invest time in researching their targets to find a way into the network," he added.
"Once they’re in, they stay quiet and fly unobserved under the radar, potentially for months at a time. It’s really hard for organizations to detect them in many cases because they can be using stolen account details and look like a bona fide user."