53M customer email addresses were also stolen in Home Depot breach

US retailer Home Depot has published an update on the investigation into the breach of their payment data systems and has warned that the attackers managed to get their hands on files containing approximately 53 million customer email addresses.

“These files did not contain passwords, payment card information or other sensitive personal information,” they pointed out. Nevertheless, the company is directly notifying all affected customers in the US and Canada, and warning them to be on guard against phishing scams.

The company also shared how the attackers managed to breach their network: “Criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network. These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada.”

“As previously disclosed, the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot’s security partners. As the company announced on September 18, the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems,” they added.

The company has also noted that as of September 13, enhanced encryption of payment data in all US stores has been implemented. “Home Depot’s encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms,” they reassured. Canadian customers could expect the same by early 2015.

They are also rolling out EMV chip-and-PIN technology.