The Home Depot, the world's largest home improvement retailer, disclosed additional findings related to the recent breach of its payment data systems, saying that hackers stole about 53 million email addresses in addition to customer data for 56 million payment cards. The company, which confirmed the breach in September, said the files that contained the email addresses did not include passwords, payment card information or other sensitive personal information.
The company is notifying affected customers in the U.S. and Canada.
In addition, after weeks of investigation by The Home Depot, in cooperation with law enforcement and the company's third-party IT security experts, Home Depot disclosed that criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. The company said that those stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy custom-built malware on its self-checkout systems in the U.S. and Canada.
The company maintained that it has not yet estimated the impact of "probable losses" related to the breach.
The malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot's security partners. As the company announced on September 18, the hackers' method of entry has been closed off and the malware has been eliminated from the company's systems.
The company has implemented enhanced encryption of payment data in all U.S. stores. The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers. Home Depot's encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms. Though initially launched in January 2014, implementation of the project was accelerated after the breach and completed in all U.S. stores on September 13, 2014. The rollout to Canadian stores will be completed by early 2015.
The company is also rolling out EMV chip-and-PIN technology, which adds extra layers of payment card protection for customers.