Home Depot Says 56 Million Credit/Debit Cards Compromised In Breach

Weeks after it was first reported that Home Depot’s in-store payment systems had been breached for many months, the world’s largest home improvement retailer has finally given some idea about the number of accounts that may have been compromised.

The bad news is that, according to Home Depot, between April and September of this year, thieves stole info on approximately 56 million accounts.

The not-disastrous news is that this number is much smaller than had been predicted, given the volume of customers who shopped at Home Depot during that 5-month period. The Target breach in 2013 only lasted for a few weeks, but resulted in the theft of information of more than 100 million customers.

Home Depot’s statement doesn’t offer an explanation for why the number of compromised accounts is so much smaller than originally predicted, but journalist Brian Krebs, who broke the story on the attack, reports today that it looks like the breach may have been confined to self-service checkout terminals at around 1,700 U.S. stores.

While self-checkout lines have their fans, many Home Depot customers still prefer to go through the traditional checkout line when paying. If Krebs’ reporting is accurate, that means that only a fraction of shoppers were made vulnerable during the breach.

And, as someone who had to have his card replaced when it was used to try to buy sketchy diet supplements from a Korean website, I will admit to having shopped at Home Depot only days earlier and to having used the self-checkout line.

While there have been reports that the malware used in this attack was the same or similar to that used in the Target theft, Home Depot claims this was “unique, custom-built malware” made to evade detection.

“The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” reads a statement from the company, which says it took affected payment terminals out of service after being made aware of the breach in early September.

Other not-horrendous news: Home Depot restated its previous claim that it doesn’t look like PIN information was stolen for debit card users.

“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”