Home Depot admits 56 million cards hit by security breach

The hacking attack on retailer Home Depot may have affected 56 million credit and debit cards in Canada and the U.S., the company admits.

Retailer says criminals used previously unknown malware to steal numbers

Theo Chronis, right, and his dad Jim Chronis load bags of mulch into their vehicle at a Home Depot store. The retailer says 56 million cards may be affected by its security breach. ( Daniel Acker/Bloomberg)

The hacking attack on retailer Home Depot may have affected 56 million credit and debit cards in Canada and the U.S., the company admitted Thursday.

Criminals used unique, custom-built malware to steal numbers from Home Depot’s point-of-sale systems, it said. The do-it-yourself retailer has 180 stores in Canada and more than 2,200 in the U.S.

The company said the previously unknown variety​ of malware may have been in its payment systems from April to September of this year.

Home Depot said it has completed a security upgrade that should prevent any further breach of its systems.

Terminals identified with the malware have been replaced and the malicious code has been eliminated from customer systems, it said.

Canadian credit and debit cards have chip technology that should protect customers, it said. Home Depot said it has rolled out enhanced encryption of payment data to all its U.S. stores and plans to have the same safeguards in place in Canada by next year.

Home Depot repeated its assurance that there is no evidence the cybercriminals gained access to customers' PINs.

Reassures investors

The size of the hack makes it more likely Home Depot will face steep costs. A security protection firm estimated costs as high as $3 billion for the company.

Already it faces a class-action suit on behalf of Canadian customers, launched by Saskatchewan lawyer Tony Merchant. He estimates up to four million Canadians may be affected by the breach.

Home Depot hastened to assure investors that it is on track to meet its target sales in the third quarter. It estimated sales will grow by 4.8 per cent and raised its estimate of third quarter profit per share to $4.54, from $4.52.

Discount retailer Target suffered stagnant sales and its profit was hard-hit by its security breach during the holiday season last year.

Home Depot’s profit estimates take into account the costs of investigating the data breach, providing credit monitoring services to its customers and legal and professional services. It has pledged that no customer will be on the hook for any fraudulent charges.

But it has not factored in any losses related to the breach, including liabilities on consumer credit and debit cards and from any civil litigation.

“Those costs may have a material adverse effect on the Home Depot’s financial results in the fourth quarter or future periods,” it said in a news release.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.