The Home Depot, the world's largest home improvement retailer, today confirmed that the malware used in its recent breach has been eliminated from its U.S. and Canadian networks. The company also has completed a major payment security project that provides enhanced encryption of payment data at point of sale in the company's U.S. stores, offering significant new protection for customers. Roll-out of enhanced encryption to Canadian stores will be complete by early 2015. Canadian stores are already enabled with EMV "Chip and PIN" technology.

The company said its fiscal third quarter sales, including sales in September, are on plan. Additional guidance is provided below.

Investigation Details
The investigation into a possible breach began on Tuesday morning, September 2, immediately after The Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.  

Since then, the company's IT security team has been working around the clock with leading IT security firms, its banking partners and the Secret Service to rapidly gather facts, resolve the problem and provide information to customers.

The company's ongoing investigation has determined the following:  

• Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot's security partners. 
• The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards.
• The malware is believed to have been present between April and September 2014.

To protect customer data until the malware was eliminated, any terminals identified with malware were taken out of service, and the company quickly put in place other security enhancements.  The hackers' method of entry has been closed off, the malware has been eliminated from the company's systems, and the company has rolled out enhanced encryption of payment data to all U.S. stores.

There is no evidence that debit PIN numbers were compromised or that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com or HomeDepot.ca.

The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. Customers who wish to take advantage of these services can learn more at www.homedepot.com or by calling 1-800-HOMEDEPOT (800-466-3337). Customers in Canada can call 800-668-2266.

"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," said Frank Blake, chairman and CEO. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."

Payment Security Enhancements
The company's new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and virtually useless to hackers. Home Depot's new encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms.

The encryption project was launched in January 2014. The rollout was completed in all U.S. stores on Saturday, September 13, 2014. The rollout to Canadian stores will be completed by early 2015.

EMV "Chip and PIN" technology, which began rolling out in early 2013 and already exists in Canadian stores, will be deployed to all U.S. stores by the end of the year, well ahead of a 2015 deadline established by the payments industry.

These projects required writing tens of thousands of lines of new software code and deploying nearly 85,000 new pin pads to stores.