Home Depot Says 56 Million Credit/Debit Cards Compromised In Breach

Weeks after it was first reported that Home Depot’s in-store payment systems had been breached for many months, the world’s largest home improvement retailer has finally given some idea about the number of accounts that may have been compromised.

The bad news is that, according to Home Depot, between April and September of this year, thieves stole info on approximately 56 million accounts.

The not-disastrous news is that this number is much smaller than had been predicted, given the volume of customers who shopped at Home Depot during that 5-month period. The Target breach in 2013 only lasted for a few weeks, but resulted in the theft of information of more than 100 million customers.

Home Depot’s statement doesn’t offer an explanation for why the number of compromised accounts is so much smaller than originally predicted, but journalist Brian Krebs, who broke the story on the attack, reports today that it looks like the breach may have been confined to self-service checkout terminals at around 1,700 U.S. stores.

While self-checkout lines have their fans, many Home Depot customers still prefer to go through the traditional checkout line when paying. If Krebs’ reporting is accurate, that means that only a fraction of shoppers were made vulnerable during the breach.

And, as someone who had to have his card replaced when it was used to try to buy sketchy diet supplements from a Korean website, I will admit to having shopped at Home Depot only days earlier and to having used the self-checkout line.

While there have been reports that the malware used in this attack was the same or similar to that used in the Target theft, Home Depot claims this was “unique, custom-built malware” made to evade detection.

“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” reads a statement from the company, which says it took affected payment terminals out of service after being made aware of the breach in early September.

Other not-horrendous news: Home Depot restated its previous claim that it doesn’t look like PIN information was stolen for debit card users.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”

Read Comments2

Edit Your Comment

  1. ReverendTed57 says:

    I have used the self-checkout at the local Home Depot, and I got a letter earlier this week that my bank was replacing that credit card for security concerns. The letter mentioned a compromised retailer but did not mention Home Depot specifically. I have not seen any fraudulent activity on the card.

  2. Cheapocabra says:

    I got an email from Home Depot on this… 12 days after the press blasted it everywhere. And that email says “visit our website for info,” but there’s no link to the site, or even the site’s URL written out. That’s a level of either incompetence or deception that I do not appreciate.

    Then, when you go to the site, it’s a bunch of PDFs and a link to “request” possibly getting their ID protection services that asks YOU to verify that you shopped with them after April 1. Oh, and then you should wait for 72 hours for a confirmation email. It doesn’t say if that’s a confirmation that they received your request, or that you’ll be getting the “protection.”

    This is making Target’s handling of the same thing look amazing, and that’s a pretty sad statement.