data breach at its stores, suggesting that the data breach on Home improvement chain was larger than the Target data breach that occurred last year during Christmas holidays.
The data theft occurred between April and September at Home Depot stores in both the United States and Canada, but the confirmation comes less than a week after the retailer first disclosed the possibility of a breach.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Home Depot CEO Frank Blake said in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
It is believe that the cybercriminals successfully compromised the Home Depot's network and installed a unique, custom-built software on the company's point-of-sale (PoS) systems in order to steal information on its customers' debit and credit cards and siphoned off to cyber crooks, the company stated.
The nasty malware used to infect the company's system had not been seen in any of the previous cyber attacks. The malware was designed to evade detection in its most complete account.
In upcoming days, the payment cards details are believed to be sold in underground black market, resulting in identity theft to millions of customers. But to help its customers, Home Depot also said that it is offering free identity protection services to those customers who may have been affected by the data breach.
According to the Home improvement retailer, so far the costs of the data breach is estimated to be $62 million, but it could reach much higher because the full scope, scale and impact of the breach has yet to be determined, so it may take months in calculating the actual loss.
"To protect customer data until the malware was eliminated, any terminals identified with malware were taken of out service, and the company quickly put in place other security enhancements," Home Depot said in its statement. "The hacker's method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores."
The company assured its customers that no PINs were obtained in the data breach and it found no evidence of fraud on the compromised accounts yet. Also there is no evidence that anyone who shopped at stores in Mexico or shopped online at the retailer's website were affected.
As a part of its efforts, the DIY giant has completed a "major payment security project" in order to provide enhanced encryption at the point of sale in the company's U.S. stores. This project will be completed in Canadian outlets by early 2015, offering significant new protection for customers.
The exposure of the data breach put Home Depot in the list of firms that have been compromised by point-of-sale malware, in which the U.S. retailer Target topped the list. However in coming weeks, Home Depot breach may give a tough competition to Target breach, which resulted in the loss of 40 million cards and the personal information of 70 million individuals, lasted three weeks during the 2013 holiday shopping season.