Many corporations want to be number one, and that typically means being the largest or having the most. However, no company wants to be known for having the largest breach of credit card information. Yet Home Depot recently became known for just that, as it announced this month that it had been the victim of a credit card breach that put nearly 56 million payment card numbers at risk for being used in identity thefts. This breach is larger than the one Target suffered nearly a year ago, when the breach it experienced exposed 40 million card numbers.
Home Depot announced it had been looking into a possible breach on September 2, when law enforcement and its banking partners contacted them about it. The company put its IT security team on the case, working with security firms, banks and the Secret Service, which has an Electronic Crimes Task Force to verify the breach and figure out the extent of the situation.
On the eighth, the hardware retailing giant confirmed that a breach had occurred, and it exposed any customer who used a payment card for their purchases at stores in the United States and Canada between April and September of this year. The retailer believes that its Mexican stores and e-commerce site were not compromised.
During the breach, the company believes about the information for about 56 million payment cards was exposed, although it does not believe any PINs were stolen along with the payment card information.
One of the reasons this breach may have evaded Home Depot's security for so long is that the data thieves wrote their own unique malware. Since no one had ever seen it used in an attack on a data system, it went undetected.
Since the discovery, Home Depot completely removed payment terminals that contained the malware and added extra security measures. The company says this effort has cut off the hackers' point of entry into its network and removed the malware from its system.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," said Frank Blake, chairman and CEO of Home Depot, in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
To thwart off a repeat attack, Home Depot has implemented extra security measures in its stores. It's added new encryption technology that scrambles raw payment card information. Hackers who infiltrate a system and capture the scrambled payment information won't be able to use it in any way.
Home Depot's U.S. stores received this encryption technology by September 13. By early 2015, Canadian stores will have it as well.
Additionally, Home Depot will be stepping up its implementation of EMV chip and PIN technology to have payment terminals in place by the end of this year. Canadian stores are already outfitted with this technology.
For customers looking for a sliver of a silver lining in this dark cloud, if you had received a year of free identity protection from last year's Target breach and had used a credit or debit card at Home Depot after April, you're eligible for another free year of credit monitoring and identity theft insurance. Home Depot sent an e-mail to its customers on the 21st and put a notice on its website about the services, which went into effect on the 19th. Home Depot is making this twelve-month service available to American customers from AllClear ID and Canadian customers through Equifax. Customers who are eligible for it can link to the identity protection registration page through Home Depot's website or by calling 1-800-HOMEDEPOT (800-466-3337).