Home Depot has confirmed that its six-month long breach compromised approximately 56 million credit and debit cards, making it the largest retail card breach in history.
The Target breach during a three-week prime holiday shopping season last year exposed 40 million payment cards.
Home Depot said in a press release Thursday that the malware used in its recent breach between April and September 2014 has been eliminated from its U.S. and Canadian networks.
The investigation into a possible breach began on Sept. 2, following reports Home Depot received from its banking partners and law enforcement that criminals may have breached its systems.
Home Depot confirmed the breach a week later, on Sept. 8.
It appears the malware attack "put payment card information at risk for approximately 56 million unique payment cards," according to Home Depot.
The compromised cards were used mainly at registers in the self check-out lanes at Home Depot stores throughout the U.S. and Canada, according to a report by security journalist Brian Krebs who first broke the story of the Home Depot breach.
To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements, the retail giant’s statement noted.
"The hackers’ method of entry has been closed off, the malware has been eliminated from the company’s systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores."
The malware had not been seen previously in other attacks, according to Home Depot’s security partners.
While Home Depot's statement reiterated its stance that there is no evidence that debit PIN numbers were compromised, Krebs recently reported that multiple financial institutions have reported a steep increase in fraudulent ATM withdrawals on customer accounts.
The company’s plan to increase payment security — launched in January 2014 —was completed on Sept. 13. The project enhanced encryption of payment data at point of sale in the company’s U.S. stores, “offering significant new protection for customers,” Home Depot said in the statement.
Roll-out of enhanced encryption to Canadian stores will be complete by early 2015. Canadian stores are already enabled with EMV “Chip and PIN” technology.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said Frank Blake, chairman and CEO of Home Depot. “From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so.”
The breach did not affect stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.
Home Depot is offering free identity theft protection services to any of its customers who shopped at a Home Depot store between April and September 2014.
If you have shopped at a Home Depot store dating back to April, it's a good idea to monitor your credit and debit card accounts and notify your bank of any unusual activity.