Home Depot this week announced the full known extent of the database breach first reported on Sept. 2: as of now, it's believed that hackers stole 56 million different debit- and credit-card numbers, officially making this the largest such data theft on record.
Security blogger Brian Krebs, who first broke word of the hacking after learning about it from his financial-industry sources, made two Sept. 18 blog posts updating the Home Depot saga.
First, he reported that, according to unnamed sources, Home Depot's investigation is focusing primarily on the self-service checkout machines in various stores.
If it's true that hackers “only” stole customer data from the self-checkouts, this would be good news (relatively speaking); as Krebs said: “The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise. ... so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.”
But later that afternoon he posted again, after Home Depot publicly announced that the hackers had stolen a total of 56 million debit and credit-card numbers. This officially makes it the largest such security breach on record.
At the same time, Home Depot said that all the malware used in the hacking has been removed, meaning customers can safely use their payment cards at Home Depot again.
Home Depot buried the 56 million number in a four-page statement which it released in .pdf form under the snappy title “The Home Depot completes malware elimination and enhanced encryption of payment data in all U.S. stores/Provides further investigation details, updates outlook.” (The article itself mentions that Canadian stores are included in this.)
Though Home Depot said that “any terminals identified with malware were taken out of service,” it didn't specify which kind of terminals. As of press time, there's no further information available regarding Brian Krebs' earlier suggestion that the problems mostly involved the self-checkout lanes.
Regardless of whether you use self-checkout or have cashiers ring up your order, Home Depot is offering free identity-theft protection services, including credit monitoring, to any customer who used a payment card in April 2014 or later.
The press release says that “Customers who wish to take advantage of these services can learn more at www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). Customers in Canada can call 800-668-2266.”