Connect with us

Hi, what are you looking for?


Data Protection

Home Depot Says 56 Million Payment Cards Compromised in Data Breach

Home Depot Confirming Data Breach

Home Depot Confirming Data Breach

Home Depot said on Thursday a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014.

While security reporter Brian Krebs originally reported that Home Depot’s payment systems had been hit by a variant of the BlackPOS malwareHome Depot said that according to its security partners, the malware used in the attack had not been seen previously in other attacks.

“Criminals used unique, custom-built malware to evade detection,” the company said in a statement. 

Home Depot did not provide additional details on the malware used against its Point of Sale (PoS) system, many new forms of malware designed to target PoS systems have emerged recently.

According to Trend Micro, six new pieces of point-of-sale malware have been identified so far in 2014. Four of these six variants were discovered between June and August: Backoff, BlackPOS version 2, BrutPoS and Soraya.

The company said that it was first made aware of a potential breach of its payment processing systems on Sept. 2 after being notified by law enforcement. 

Home Depot did say that it has successfully removed the malware from its networks.

“To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements,” the statement continued.

Advertisement. Scroll to continue reading.

The home improvement retail giant also that it has completed a “major payment security project” that provides enhanced encryption of payment card data at point of sale in its U.S. stores.

According to Home Depot, the security improvements required writing tens of thousands of lines of new software code and deploying nearly 85,000 new pin pads to its stores.

EMV “Chip and PIN” technology, which the company began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all U.S. stores by the end of the year, ahead of a 2015 deadline established by the payments industry, Home Depot said.

Home Depot said that its new encryption technology was provided by Voltage Security, Inc.

As one of the largest data breaches on record, the incident follows the massive data breach that affected Target in December, when hackers accessed payment card data for roughly 40 million customers along with personal information for 70 million other consumers.

Free identity protection services is also being offered to any customer who used a payment card at any Home Depot store from April 2014 on.

“This is why big box retailers are great targets for sophisticated, well-resourced cybercriminals,” Trey Ford, Global Security Strategist at Rapid7, told SecurityWeek. “They are able to invest time in researching their targets to find a way into the network. Once they’re in, they stay quiet and fly unobserved under the radar, potentially for months at a time.”

“56 million cards may not be as big as the huge Heartland Payment Systems breach, but it eclipses both the TJX and Target breaches, and that’s going to cost Home Depot a lot of money,” Ford said. “We can expect other large global retailers, such as Wal-Mart, Carrefour, Tesco and Metro AG, will be paying close attention as the investigation continues.”

“Credit card data breaches are not slowing down any time soon, and cybercriminals have different techniques to target all industries,” said Jon Clay, Senior Manager of Global Threat Communications at Trend Micro. “However, our research has revealed that a high majority of PoS RAM scrapers affect the retail industry since these businesses have high credit card transaction volumes. Therefore, it is imperative, now more than ever, that retailers must be on the lookout for these types of data breaches and put preventative measure in place to verify the authenticity of all transactions.”

Home Depot operates 2,265 retail stores in the US, Canada and Mexico and had annual sales of $78.8 billion in 2013.

US-based businesses have been the biggest targets of PoS malware. According to a recent report from Trend Micro, roughly 74 percent of PoS malware detections between April and June have been in the U.S. The Philippines and Japan were second and third on the list at 4.62 percent and 4.41 percent, respectively. The retail industry was the hardest hit, accounting for 67.51 percent of PoS malware detections.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.