ATLANTA — Home Depot Inc. said that the malware hackers used to steal an estimated 56 million debit and credit card numbers from its customers in the United States and Canada between April and earlier this month has been eliminated from its store networks, closing off the cyberthieves’ point of entry.
The scale of the theft, nonetheless, makes the incident the largest retail card breach on record.
It might have been much bigger, given the five-month duration of the operation. Security experts suspect that the custom-built malware designed to evade detection once installed on the company’s system was limited to Home Depot’s self-checkout lanes.
The cyberthieves who last year accessed Target Corp.’s computer networks via stolen credentials of a heating and ventilation contractor pilfered personal and payment card data from some 40 million customers over about three weeks during the holiday shopping season. Another 70 million customers had personal details stolen in that cyberattack.
In a security filing last month, Target said costs associated with the data breach episode amounted to $148 million in the second quarter alone, a sum partially offset by a $38 million insurance payment. Target’s costs associated with legal, consulting and credit monitoring services continue to mount.
Prior to the Home Depot incident, the largest retail breach involved theft of nearly 46 million debit and credit cards from TJX Cos. in 2007.
The string of breaches that have hit U.S. companies, including arts and crafts chain Michaels Cos., UPS and Neiman Marcus, is thought by many experts to be the work of organized gangs of cybercriminals, who are after a high volume of valuable financial data that can be easily sold.
Home Depot officials also sought to reassure customers by reporting that it had completed a major security project that encrypts payment data at its point-of-sales terminals, rendering it useless to hackers. The project, begun in January, covers the retailer’s U.S. stores. A similar system is expected to roll out in its Canadian stores by early 2015.
Home Depot’s Canadian stores are already enabled with “chip and PIN” — a more secure credit card technology used in much of the world but not yet widely deployed in the U.S. Major payment processors have set an October 2015 deadline for retailers to install such measures or be liable for fraud caused by using outdated methods.
Home Depot said its “chip and PIN” will be deployed in its U.S. stores by the end of the year. In addition, the retailer said it would offer free identity protection and credit monitoring services to any customer who had used a credit or debit card at stores affected by the breach.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,’’ said Frank Blake, Home Depot’s chief executive officer.