While investigating a security breach that may have affected over 2,200 of its stores and exposed 56 million credit card accounts, Home Depot says it has now learned that approximately 53 million of its customers' email accounts may have been compromised during the intrusion.
Home Depot has already begun notifying customers whose email accounts the company believes were compromised by the security breach, though it says it doesn't believe passwords or other sensitive information was included in the massive batch of stolen addresses.
While Home Depot announced the potentially exposed cache of email accounts on Nov. 6, it said it learned about them during its weeks of investigations into the security breach that exposed 56 million unique sequences of credit card numbers to hackers.
Despite finding no evidence that email account passwords fell into the hands of hackers, Home Depot is warning its customers to be on the lookout for phishing attempts and other malicious attacks on their inboxes. There's no need to change or abandon email addresses, though vigilance will be required, says Home Depot.
"Even if you do not receive an email notification from us, it's safe to assume your email address could have been stolen," stated Home Depot in a release (PDF).
Home Depot first discovered the attack on its customers on Sept. 2, after being alerted by financial institutions and law enforcement agencies. The company has since learned that the intrusions began back as far as April 2014, affecting customers who used credit and debit cards at any of the company's U.S. and Canadian stores during that time period.
To avoid falling prey to a similar attack, Home Depot has begun rolling out the long-recommended Europay MasterCard Visa (EMV) "chip and PIN" method of encryption. The EMV chip-and-PIN method of smart card payments has already begun to be implemented in U.S. stores and the company expects to roll out the encryption at registers in Canadian locations in 2015, according to Home Depot.
Credit card companies are preparing to shift fraud liability over to merchants in the U.S. in October 2015. The date is being called "EMV D-Day," but it appears many companies on both sides aren't ready for the changeover, according to The Members Group's Brandon Kuehl, senior product manager at the Des Moines, Iowa, payments firm.
"While some have completed their credit card implementations and are starting to think through the same on their debit portfolios, others have not even outlined a timetable for migration," says Kuehl of credit unions.
