Home Depot breach exposes a whopping 56M credit cards

The hardware chain says it has eliminated all malware from its systems after a massive hack put tens of millions of customers' data at risk.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
2 min read

Home Depot

Home Depot said Thursday that 56 million unique credit cards were put at risk of theft as a result of a security breach earlier this year in what could be the largest credit card exposure yet.

"Criminals used unique, custom-built malware to evade detection," the hardware store chain said in a statement Thursday. "The malware had not been seen previously in other attacks."

The company said that the malware, which it believes was present in Home Depot store systems between April and September 2014, has been eliminated from its systems and any terminals identified with malware were taken out of service. Additionally, Home Depot has rolled out enhanced encryption of payment data in all US stores.

Home Depot revealed last week that it was "="" related="" to="" customer="" data"="" shortcode="link" asset-type="article" uuid="2ec507b2-9e33-480b-a910-f1e4617d8c16" slug="home-depot-probes-possible-customer-data-theft" link-text="investigating " section="news" title="Home Depot probes possible customer data theft" edition="us" data-key="link_bulk_key" api="{"id":"2ec507b2-9e33-480b-a910-f1e4617d8c16","slug":"home-depot-probes-possible-customer-data-theft","contentType":null,"edition":"us","topic":{"slug":"cybersecurity"},"metaData":{"typeTitle":null,"hubTopicPathString":"Tech^Services and Software^Online^Cybersecurity","reviewType":null},"section":"news"}"> but didn't actually say that it had been the victim of a credit card breach at that time.

The possibility of a breach was raised by security reporter Brian Krebs, who reported that "multiple banks" had seen evidence that Home Depot may be the source of a large cache of stolen customer credit and debit cards put up for sale on black markets.

The company said today that only credit card data was breached and "there is no evidence that debit PIN numbers were compromised."

The hack into Home Depot recalls a similar security breach at retail giant Target. Late last year hackers obtained credit card data of 40 million Target customers and the personal information for an additional 70 million customers.

Since the Target hack, there has been an apparent uptick in security breaches at retail locations. Over the past few months, arts and crafts retail chain Michaels Stores, department store Neiman Marcus, and restaurant chain P.F. Chang's all revealed they were victims of security breaches aimed at stealing customers' credit card information.

Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store from April 2014 to now.

"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Home Depot chairman and CEO Frank Blake said in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."

The credit card data breaches of 2014

See all photos