Updated, 8:21 p.m. | SAN FRANCISCO — Home Depot said on Thursday that the account information of 56 million cardholders was compromised in what is the largest known breach of a retail company’s computer network.
Home Depot said hackers breached the company’s cash register systems in its United States and Canadian stores in April. The hackers, the company said, used custom malware that was designed to evade traditional security tools and had not been previously used in other cyberattacks. The company said that it had since removed infected registers and closed off the hackers’ mode of entry and that it had been using new encryption systems in its American and Canadian stores for the last nine months.
Home Depot has been scrambling to investigate the breach since it became public on Sept. 8. It is unclear how the company missed signs of the attack after a breach last year at Target compromised 40 million cardholders’ information, and after the Secret Service and Department of Homeland Security warned retailers in July that their systems were potentially compromised.
The company said its encryption project began in January but was not completed in its American stores until Saturday. It said encryption in its Canadian stores would not be completed until 2015.
Home Depot’s attack went unnoticed for five months. During that time, hackers found an entry into the company’s network, gained access to its in-store payment systems and installed malware to take payment data off the memory of the company’s registers during processing. The hackers then sent that data back to their servers abroad.
Home Depot said it would offer free identity protection and credit monitoring services to any customer who had used a credit or debit card at affected stores.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” Frank Blake, Home Depot’s chief executive, said in a statement.
Security experts and law enforcement say that hackers are actively scanning merchants’ networks for ways to gain remote access to their systems. The Department of Homeland Security and the Secret Service recently estimated that more than 1,000 businesses in the United States had been infected with malware programmed to siphon payment card details from cash registers. They believed that many of these businesses did not know they were sharing customers’ credit card information.
Besides Home Depot and Target, companies that have been attacked by hackers include UPS, Goodwill, P. F. Chang’s, Sally Beauty, Michael’s and Neiman Marcus.
The only way to thwart such attacks, security experts say, is for merchants to adopt a new chip-based payment standard known as E.M.V., short for Europay MasterCard and Visa, the technology’s first backers. The technology makes it more difficult for criminals to use stolen account information to make purchases or create counterfeit cards.
Home Depot said that moving to E.M.V. required writing tens of thousands of lines of new software code and deploying it to 85,000 new PIN pads in its stores. It said on Thursday that E.M.V. already existed in its Canadian stores but would not be introduced in its United States stores until the end of the year. Credit card companies have set an October 2015 deadline for American retailers to upgrade their payment systems.