The company insisted the stolen files did not contain passwords or other sensitive personal information, and said it would be contacting affected customers, all of whom are located in the US and Canada.
However, it warned those who’ve shopped at its stores to be on the lookout for phishing scams, which attempt to trick people into providing personal information via fake emails.
The retail giant said that its investigation showed that cybercriminals had gained access to the perimeter of Home Depot’s computer network through the use of a third-party vendor’s username and password.
“The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada,” the company explained in a news release.
Apology
Home Depot discovered the security breach in September. Its research revealed that cybercriminals had been harvesting customer-related data from in-store point-of-sale systems from April this year until the start of September.
When the breach was uncovered, Home Depot CEO Frank Blake apologized to customers, at the same time reassuring them that they wouldn’t be liable for any fraudulent charges.
Others hit
But Home Depot isn’t the only company affected by this malware – the Department of Homeland Security said recently that up to a thousand US companies and organizations could have the same malicious software – or variants of it – on their computer systems without realizing, and recommended that all businesses which use such systems to run thorough checks.
Home Depot’s breach is even bigger than the one that hit Target last year involving 40 million credit and debit cards. And other big names have been hit recently, too, including The UPS Store, Michaels, SuperValu, and PF Chang’s restaurants.
