Home Depot (HD) said Thursday that it has identified the malware used to steal customer payment information and has eliminated it from the company's network.
An estimated 56 million credit and debit cards used to pay at Home Depot stores are at risk, the company said in offering the latest update of data breach disclosed earlier this month. This week, a credit monitoring service estimated that fraud losses due to the intrusion could reach $3 billion.
The malware hackers used to steal customer information was unique and was customized to avoid being detected, the retailer said. Home Depot said the malware used in the theft was likely in the company's networks from April until earlier this month.
"To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements," Home Depot said in a statement. "The hackers' method of entry has been closed off, the malware has been eliminated from the company's systems and the company has rolled out enhanced encryption of payment data to all U.S. stores."
Home Depot added that it has found no evidence that customers' debit card PIN numbers were accessed in the theft. In addition, purchases made on HomeDepot.com, HomeDepot.ca and in stores in Mexico were not involved in this breach, the company said.
Home Depot is offering free credit monitoring for one year to affected customers.To get the free ID theft protection and credit-monitoring services, visit the company's website or call 1-800-HOMEDEPOT (800-466-3337).
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Frank Blake, Home Depot's chairman and CEO, said in a statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
The company also cautioned shareholders that it could be liable for a laundry list of expenses due to the breach. Those costs could include owing payment card networks for reimbursements of credit card fraud, along with the cost of reissuing cards; litigation and other legal fees; resolving technical issues involved in the breach and installing new systems; and possible expenses related to government investigations and potential enforcement.