Home Depot breach totals: 56 million credit cards exposed, $62 million in losses

Lots of people who speculated about the source of the credit card data breach at the Home Depot turned out to be wrong.

But those who suggested that Home Depot's breach might end up bigger than Target's turned out to be spot on.

As the home improvement retail giant revealed in a statement on Thursday, 18 September 2014, 56 million unique payment cards were compromised in the attack.

The attack on Target in late 2013 resulted in the theft of 40 million credit and debit card numbers, although Target also managed to lose 70 million other customer records.

However, despite some initial reports that malware responsible for the compromise of the Home Depot's point-of-sale (PoS) systems was the same malware that hit Target, that's apparently not the case.

Instead, malware on the Home Depot's PoS registers was "unique, custom-built malware" that "had not been seen previously in other attacks," the company said.

The malware had been present on Home Depot systems since April 2014 and was finally eliminated on 13 September 2014.

The company said it began investigating the breach on 2 September 2014 after it was notified by banking partners and law enforcement of suspicious activity, and has worked with security firms and the US Secret Service to close off the attack.

In response, the Home Depot has rolled out "enhanced encryption" in all of its US stores to make credit card data unreadable, and will complete adoption of EMV Chip-and-PIN technology by the end of the year.

Canadian stores, which are already enabled with Chip and PIN technology, will receive the new encryption system in 2015, the company said.

As is becoming routine in the wake of recent data breaches at Supervalu, The UPS Store and others, the Home Depot issued an apology and said it is offering free credit monitoring services to those affected.

The company estimated that the cost of its investigation, credit monitoring, customer outreach, call center staffing and legal costs will add up to about $62 million, about $27 million of which it expects to have reimbursed by insurers.

Yet the total cost of the breach could end up much, much larger.

As the company said in its updated earnings forecast, future costs could include a host of other liabilities:

Costs related to the breach may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs; liabilities related to the company’s private label credit card fraud and card reissuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities.

Silver linings

It might be hard to see the good in such a costly data breach that has put potentially tens of millions of card-holders at risk of fraud, but the Home Depot's mega-breach should, hopefully, be the final nail in the coffin for the old magnetic stripe credit cards predominant in the US.

Magstripe cards, as they are often called, are vulnerable to the type of attack seen at the Home Depot and Target because they rely on 50-year-old technology that transmits card numbers that can easily be stolen and used anywhere.

EMV Chip and PIN cards, on the other hand, use a unique code for each transaction, so even if that code is compromised it is useless to attackers for making fraudulent charges.

Magstripe card readers are also vulnerable to so-called RAM scraper malware that steals cleartext payment card data out of RAM (Random Access Memory) on PoS computers.

The Home Depot said the roll-out of its enhanced payment card system required "writing tens of thousands of lines of new software code" and adding 85,000 new pin pads in its stores - undoubtedly another very costly undertaking.

It's unfortunate that US banks and retailers have lagged far behind their counterparts across much of the rest of the world in adopting more secure payment card technology - in part due to the high cost of replacing so many thousands of PoS devices.

As we can all see clearly now, the cost of not doing so is enormous and rapidly mounting.