Home Depot has shared new findings from its payment data breach investigation. The retailer has confirmed that in addition to the 56 million payment cards compromised, 53 million email addresses were stolen during the breach, which occurred between April and September 2014. Files containing the emails did not contain passwords, payment card information or other personal information.
The investigation, which was conducted with assistance from law enforcement and third-party IT security experts, confirmed that criminals used a third-party vendor’s user name and password to enter Home Depot’s network. However, these credentials did not provide direct access to the retailer’s POS devices. Hackers eventually acquired elevated rights that allowed them to enter the network and deploy custom-built malware on self-checkout systems in stores across the U.S. and Canada.
Although Home Depot only plans to share any additional details of the breach during its quarterly earnings calls, the retailer is continuing to offer free identity protection services to customers. The retailer also has invested in:
- Enhanced encryption of payment data in all U.S. stores by implementing technology from Voltage Security, Inc. Rollout in Canadian stores will be completed by early 2015.
- EMV chip-and-PIN technology, which was first deployed in Canadian stores in 2011. U.S. stores will be equipped with the technology prior to the payment industry deadline of October 2015.
For the 2014 fiscal year, Home Depot confirmed its diluted earnings-per-share growth guidance of $4.54, an increase of 21%. This total includes the estimated cost of investigating the data breach, providing credit monitoring services to customers, increasing call center staffing and paying legal and professional services.
However, the predicted fiscal earnings-per-share does not include liabilities to payment card networks for reimbursements of payment card fraud and card reissuance costs or liabilities related to the company’s private label credit card fraud and card reissuance. Future expenses for civil litigation, governmental investigations and consulting fees also were not included.