Home Depot loses 56 million customers’ credit card data and offers remediation

The US retailer Home Depot has confirmed that credit card details of potentially 56 million of its customers have been compromised due to a cyber attack. By the time the company learned on 8 September from banks and law enforcement that it had been breached, hackers had been stealing customers’ card information unnoticed for months. The rollout of the company’s new encryption was not completed until last week in the US. The rollout of enhanced encryption to Canadian stores will be completed by early 2015.

The company said in a statement: “We apologize for the frustration and inconvenience this breach may have caused. We also want to emphasize that you will not be liable for any fraudulent charges to your accounts, and we’re offering free identity protection services, including credit monitoring, to any customer who has shopped at a Home Depot store in 2014, from April on.”

Home Depot has been criticised for not notifying its customers until several months after the breach was discovered on 2 September. Some banks have now started to replace all potentially affected cards.

On 18 September the company announced that the malware used in the breach has been eliminated from its US and Canadian networks. Security experts say that the best way to prevent this type of breach is for merchants to adopt a new chip-based payment standard, EMV (Europay, MasterCard and Visa are first adopters). These payment cards contain an embedded microprocessor with strong security features and other capabilities not possible with traditional magnetic stripe cards. Canadian Home Depot stores already use this chip and pin technology.

See the press release.

Read an article about the planned EU data breach notification duty in PL&B UK Report, October 2014. To subscribe, and search back issues since 2000, see here.