Home Depot has confirmed that 56 million cards were compromised in a major security breach between April and September of this year. The breach affected customers in the United States and Canada.
Home Depot confirmed the breach in a filing with the SEC that said the following:
The Company's ongoing investigation has determined the following:
• Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot's security partners.
• The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
• The malware is believed to have been present between April and September 2014.
Home Depot started investigating the breach on September 2, the same day banks became aware of unusual activity for Home Depot customers. It's offering what it calls "free identity protection services," including credit monitoring, to anyone who used a Home Depot card in stores during the time of the breach, so if you're one of the unlucky shoppers affected, they should be letting you know. (And if anyone has been contacted by Home Depot about this, let me hear it in the comments.)
Now for some good news for people who shopped with debit cards, people who shopped online, and people in Mexico:
There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.
This attack is reminiscent of a similar attack on Target, which ended up affecting 40 million customers.
If you're planning on shopping there this week, the company says it has eliminated the malware. They sent 85,000 new pin pads to stores as part of their clean-up.
Home Depot noted that they're getting EMV "Chip and Pin" technology in all U.S. stores by the end of the year. If there's any good that can come from this bad situation, it'll be if other big retailers get freaked out enough to speed up implementing chip and pin before the 2015 industry deadline.