September 19, 2014 - US retail chain Home Depot says that 56 million payment cards are at risk following a malware-laden cyber-attack on eftpos tills across its stores in the US and Canada.
The investigation into a possible breach began on Tuesday morning, 2 September, immediately after Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.
In a statement, the company says: "Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot's security partners."
The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards, after lurking in the company's eftpos tills for four months between April and September.
Home Depot says that it has since ripped out eftpos tills infected with the rogue virus - which is understood to have compromised the retailer's self-checkout terminals - and has rolled out enhanced encryption of payment data to all US stores.
While the breach has been seen as a further proof-point in the US push to adopt Chip and PIN at the point-of-sale, the fact that the outbreak also hit the home improvement chain's Canadian stores - where the EMV standard has been implemented - leaves pause for thought. Nonetheless, the retailer has committed to installing 85,000 PIN pads at its US outlets, well ahead of the national 2015 deadline.
Home Depot has set aside $65 million to cover the the cost to investigate the data breach, provide credit monitoring services to its customers, increase call centre staffing, and pay legal and professional services. Approximately $27 million of the projected outlay will be covered by the company's insurance.
Home Depot CEO Frank Blake says: "We apologise to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges."