NEW YORK — Home Depot said that 56 million debit and credit cards are estimated to have been breached in a data theft between April and September at its stores in the U.S. and Canada. That makes it the second-largest breach for a retailer on record.
The nation's largest home improvement retailer, based in Atlanta, also confirmed Thursday that the malware used in the data breach has been eliminated. The retailer said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online at Homedepot.com. It said it has also completed a "major" payment security project that provides enhanced encryption of customers' payment data in the company's U.S. stores.
The disclosure puts the data breach behind TJX Cos.'s theft of 90 million records, disclosed in 2007 and ahead of Target's pre-Christmas 2013 breach which compromised 40 million credit and debit cards.
Home Depot confirmed its sales-growth estimates for the fiscal year and said it expects to earn $4.54 per share in fiscal 2014, up 2 cents from its prior guidance. The company's fiscal 2014 outlook includes estimates for the cost to investigate the data breach, providing credit monitoring services to its customers, increasing call center staffing and paying legal and professional services.
However, the profit guidance doesn't include potential yet-to-be determined losses related to the breach. The company said it's not yet able to estimate costs beyond those included in the guidance issued Thursday. Those costs could include liabilities related to payment card networks for reimbursements of credit card fraud and card reissuance costs. It could also include future civil litigation and governmental investigations and enforcement proceedings.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable, for fraudulent charges," said Frank Blake, chairman and CEO in a statement. "From the time this investigation began, our guiding principal has been to put our customers first, and we will continue to do so."
The breach at Home Depot was first reported on September 2 by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity. Krebs said multiple banks reported "evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards" that went on sale on the black market earlier Tuesday. Later that day, Home Depot said it was working with both banks and law enforcement to investigate "unusual activity" that would point to a hack.
The next day it said that it had hired security firms Symantec and FishNet Security to help it investigate the possible hacking
Unlike Target's breach, which resulted in falling sales as shoppers worried about security, Home Depot's business appears to remain intact.
The reason? Customers appear to be growing accustomed to breaches, following a string of them this past year, including Michaels, SuperValu and Neiman Marcus. Home Depot might have also benefited in the timing in another way— the disclosure came in September, months after the spring season, which is the busiest time of year for home-improvement chains.