Home Depot announced on Thursday that the information of 56 million cardholders had been compromised over a five-month period.
The data theft occurred between April and September at it stores in the U.S. and Canada. The home improvement retailer also said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped at the retailer’s website.
"We apologize to our customers for the inconvenience and anxiety this has caused and want to reassure them that they will not be liable for fraudulent charges," said Chief Executive Frank Blake.
Home Depot said that criminals used unique, custom-built software that had not been seen in previous attacks and was designed to evade detection in its most complete account of what had happened since it first disclosed the breach on Sept. 8, six days after the company received reports from its banking partners and law enforcement that criminals may have breached its systems.
Since then, Home Depot said that the hackers' method of entry has been closed off, the malware used in the data breach has been eliminated, and that it had rolled out "enhanced encryption of payment data" to all U.S. stores, a project that will be completed in Canadian outlets by early 2015.
Hitesh Sheth, chief executive of Vectra Networks, a California cybersecurity firm in San Jose, said Home Depot’s breach exposes a weakness, noting that the company said hackers used unique, custom-built malware.
This “essentially means the technology they are using is only designed to detect malware that has already been used in a previous attack, and that is symptomatic of the retail industry," Sheth said.
"Retailers need to upgrade to technology that is available and detects behavior of malware that is new because these attacks are not going to stop anytime soon."
Home Depot is going to be expected to bear the costs related to fraud and payment card replacement, according to Wesley McGrew, an expert on retail breaches who is an assistant research professor at the department of computer science at Mississippi State University.
Banks typically seek to get retailers to cover those costs if there are any indications of shortcomings in their security.
Criminals have frequently used software that evades detection, but retailers are expected to closely monitor their networks using tools that are designed to uncover signs of a crime in progress, McGrew said.
"It's hard to feel sorry for them when there are things they could have done to improve the security of these transactions," McGrew said.
Unlike Target's breach, which resulted in falling sales as shoppers worried about the privacy of their security, Home Depot's business remains intact so far.
Customers appear to be growing accustomed to breaches, following a string of them this past year, including SuperValu and Neiman Marcus. Home Depot might have also benefited in the timing in another way — the disclosure came in September, months after the spring season, which is the busiest time of year for home-improvement chains.
However, Home Depot, which is based in Atlanta, estimated it will incur costs of $62 million related to the breach but indicated that figure could be much higher. The costs include credit monitoring, increased call center staffing, and legal and professional services. Home Depot said it believes that $27 million of the amount will be paid for by insurers.
But the company said it has not yet estimated the impact of "probable losses" related to the possible need to reimburse banks for fraud and card replacement, as well as covering costs of lawsuits and government investigations.
"Those costs may have a material adverse effect on The Home Depot’s financial results in the fourth quarter and/or future periods," the company said in its statement.
Al Jazeera and wire services