More information on the breach of home improvement retailer Home Depot was
announced today. While the company still says that only stores in North America are affected by the breach, it
now adds that the information from 56 million unique payment cards was at risk. The company provided further insight into the steps taken since the breach, including adding stronger encryption, after the malware from terminals was completely removed.
In contrast to the largest malware breach of 2013, Home Depot ended up with significantly more consumers with exposed information than Target did. Target saw more than 40 million payment cards vulnerable during the problematic breach it faced, but the length of Home Depot's vulnerability was much longer. Whereas Target's intrusion was over a three-week period, Home Depot was affected from April to September. The hardware and remodeling chain now holds the title for largest card breach for a retailer in history.
Additional information included some details on the type of malware that was used in the event. The company has said that the malware was a custom-built job that evaded traditional detection. Those helping Home Depot research the breach say that it was a malware that had yet to be seen in such an attack. This falls in line with information security analyst Brian Krebs and Trend Micro shared after the breach was confirmed.
Home Depot says that malware is eliminated, with the company going as far as removing any terminals that were identified as being affected. It continues to say there is no evidence PIN numbers were compromised during the breach.
"The hackers' method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all US stores," said the company in a statement to investors. Previously, Home Depot also said that it would be rolling out the use of EMV chip-and-pin technology before the end of the year.
Along with the added encryption, 85,000 new terminals are being deployed. As for the encryption, the Home Depot says that the technology from Voltage Security was "tested and validated by two independent IT security firms."
The project was started January 2014, with completion being reached in the United States on September 13. Roll out in Canada is scheduled to be complete during the first part of 2015. Information on how the new encryption interacted with the infected terminals isn't outlined, nor was how it was tested and verified.
If Home Depot started rolling out the encryption before the malware was completely eliminated, then there could be potential for further issues. Without knowing more about the how the timeline played out or how secure the encryption is, it's hard to say that there's no possibility of future customer exposure. Bank sources
tell Brian Krebs that compromised cards were still being reported on September 7, five days after Home Depot stated it was looking into activity.
As if to ease the minds of investors, the statement from Home Depot added that the company was on schedule to hit its planned sales figures for the third quarter. However, the forecast doesn't include costs related to the breach, since the company is unable to estimate the total liability it may be responsible for.