Home Depotannounced an updateon its data breach first announced September 2.
The results of Home Depot’s investigation include:
- Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners.
- The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
- The malware is believed to have been present between April and September 2014.
The company added that, “To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements. The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores. There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.”
The announcement from Home Depot follows a report by Brian Krebs of Krebs on Security earlier on Thursday that said the company’s card data breach could be limited to the home improvement store’s self-checkout lane.
“Sources now tell KrebsOnSecurity that in a conference call with financial institutions today, officials at MasterCard shared several updates from the ongoing forensic investigation into the breach at the nationwide home improvement store chain. The card brand reportedly told banks that at this time it is believed that only self-checkout terminals were impacted in the breach, but stressed that the investigation is far from complete.”
Krebs also says sources said Visa and MasterCard have been reporting fewer compromised cards than expected.
Earlier reports regarding Home Depot’s breach, which was first made public on September 2, indicated that the breach impacted all 2,200 of the company’s US stores.