The hacking attack on retailer Home Depot may have affected 56 million credit and debit cards in Canada and the U.S., the company admitted Thursday.

Criminals used unique, custom-built malware to steal numbers from Home Depot’s point-of-sale systems, it said. The do-it-yourself retailer has 180 stores in Canada and more than 2,200 in the U.S.

The company said the previously unknown variety​ of malware may have been in its payment systems from April to September of this year.

Home Depot said it has completed a security upgrade that should prevent any further breach of its systems.

Terminals identified with the malware have been replaced and the malicious code has been eliminated from customer systems, it said.

Canadian credit and debit cards have chip technology that should protect customers, it said. Home Depot said it has rolled out enhanced encryption of payment data to all its U.S. stores and plans to have the same safeguards in place in Canada by next year.

Home Depot repeated its assurance that there is no evidence the cybercriminals gained access to customers' PINs.

Reassures investors

The size of the hack makes it more likely Home Depot will face steep costs. A security protection firm estimated costs as high as $3 billion for the company.

Already it faces a class-action suit on behalf of Canadian customers, launched by Saskatchewan lawyer Tony Merchant. He estimates up to four million Canadians may be affected by the breach.

Home Depot hastened to assure investors that it is on track to meet its target sales in the third quarter. It estimated sales will grow by 4.8 per cent and raised its estimate of third quarter profit per share to $4.54, from $4.52.

Discount retailer Target suffered stagnant sales and its profit was hard-hit by its security breach during the holiday season last year.

Home Depot’s profit estimates take into account the costs of investigating the data breach, providing credit monitoring services to its customers and legal and professional services. It has pledged that no customer will be on the hook for any fraudulent charges.

But it has not factored in any losses related to the breach, including liabilities on consumer credit and debit cards and from any civil litigation.

“Those costs may have a material adverse effect on the Home Depot’s financial results in the fourth quarter or future periods,” it said in a news release.