The world's largest DIY retailer has admitted that 56m credit and debit card numbers were compromised over a five-month period in one of the worst breaches of customer data ever recorded. Home Depot said on Thursday night that although the data theft began in April, the malware used by the hackers had only been completely removed from its systems this month.
The breach was revealed on 2 September by the security website Krebs on Security, which said that all 2,200 of Home Depot's US stores could have been affected. The chain, which did not confirm the data breach until 8 September, said that security groups Symantec and FishNet Security were brought in to investigate the possible hacking as soon it became known.
The criminals used "unique, custom-built malware" that had not been seen in similar attacks, which helped them to avoid detection for so long, Home Depot said. It had completed a major payment security upgrade to ensure better encryption of customers' card numbers.
US retailers have been slower to adopt the chip-and-Pin technology found in Britain and most European countries as many American credit cards still lacked the appropriate chips. The US payments industry has set a deadline of October 2015 to switch to chip and Pin.
Frank Blake, chairman and chief executive of Home Depot, apologised to customers for the "inconvenience and anxiety" of the breach and said they would not be liable for any fraudulent charges.