Home Depot Inc. said Thursday that a data breach between April and September put about 56 million credit and debit cards at risk.
The hackers used custom-made software to evade detection, relying on tools that haven't been seen in previous attacks, Atlanta-based Home Depot said Thursday in a statement. The company began investigating the breach Sept. 2 after banking partners and law enforcement raised alarms that its systems may have been infiltrated.
A data breach in 2007 of 90 million records taken from TJX Cos., the parent company of discounters TJ Maxx and Marshalls, remains the largest hacker theft. Target Corp.'s pre-Christmas 2013 breach involved 40 million compromised credit and debit cards.
Home Depot, the world's largest home-improvement chain, expects to pay about $62 million this year to recover from the incursion, including additional costs for call-center staffing and legal expenses. Insurance will cover $27 million of that tab, the company said.
"We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges," Chief Executive Officer Frank Blake said in the statement. "From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
So far, the hacker attack hasn't hurt Home Depot's growth prospects. Sales have been progressing as expected this quarter, the company said Friday. For the year, the chain expects revenue to increase 4.8 percent.
The company also raised its annual profit forecast to $4.54 a share, up from a prediction of $4.52 last month. Included in this guidance is a pretax gain of $100 million from the sale of shares in HD Supply Holdings Inc., a Home Depot spinoff.
Home Depot shares also haven't suffered much from the breach revelation. The shares have gained 1 percent since the attack was first made public and rose 87 cents Thursday to close at $92.09. The stock was little changed in extended trading after Thursday's announcement.
The company said there's no evidence personal identification numbers for debit cards were compromised. That information is especially sensitive because it can be used to withdraw cash from an automated teller machine. The chain also affirmed that purchases made online and at stores in Mexico weren't affected.
The sales impact on Home Depot also may be muted because this breach was disclosed in September, after Home Depot's key selling season, according to Bloomberg Intelligence.
Target suffered a bigger blow from its attack because it came during the height of last year's Christmas-shopping season. As of Aug. 2, the discounter recorded $146 million in expenses related to the incursion.
After the attack became public in December, Target's reputation and foot traffic took a hit. The Minneapolis-based company's U.S. comparable-store sales decreased 2.5 percent in the fourth quarter.
For Home Depot, the attack coincides with a chief executive officer transition. Craig Menear, the chain's president of U.S. retail, will succeed Blake as the company's leader on Nov. 1. Blake, who took over in 2007, will remain chairman of the board.
The breach at Home Depot was first reported by Brian Krebs of Krebs on Security, a website that focuses on cybersecurity. Krebs said multiple banks reported "evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards" that went on sale on the black market.
Information for this article was contributed by Nick Turner of Bloomberg News and Anne D'Innocenzio of The Associated Press.
Business on 09/19/2014