Home Depot: 53 Million E-mail Addresses Taken During Data Breach

The Home Depot has disclosed additional findings related to the recent breach of its payment data systems. The findings are the result of weeks of investigation by The Home Depot, in cooperation with law enforcement and the company’s third-party IT security experts, noted the retailer.

Home Depot’s investigation determined that criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network. The stolen credentials alone did not provide direct access to the company’s point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.

In addition to the previously disclosed payment card data, which was estimated to impact 56 million accounts, separate files containing approximately 53 million e-mail addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information, said Home Depot. The company is notifying affected customers in the U.S. and Canada.

As previously disclosed, the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot’s security partners. As the company announced in September, the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems.

For consumers, The Home Depot continues to offer free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.

The retailer noted that it has implemented enhanced encryption of payment data in all U.S. stores. The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers, according to the company. Home Depot said its encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms. Though initially launched in January 2014 as part of a strategic plan to expand security, implementation of the project was accelerated after the breach and completed in all U.S. stores on September 13. The rollout to Canadian stores will be completed by early 2015.

In addition, Home Depot is rolling out EMV chip-and-PIN technology, which adds extra layers of payment card protection for customers. Chip-and-PIN technology was deployed to Canadian stores in 2011. Launched as a project for U.S. stores in 2013, the project will be completed ahead of the payment industry’s deadline, noted the retailer.

The Home Depot said its investigation, cooperation with law enforcement and efforts to further enhance its security measures are ongoing, and stated it does not anticipate further updates on the breach outside of its quarterly financial disclosures.