Home Depot (HD) is contacting the millions of customers whose email addresses were stolen in the massive data breach that also compromised 56 million payment cards.
Last week, Home Depot disclosed that hackers stole a file containing 53 million email addresses as part of the data breach, but cautioned that the file did not contain passwords, payment card information or sensitive personal information.
“The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September,” Home Depot said an email to the customers whose email addresses were stolen.
“We apologize for this incident and for the inconvenience and frustration this may cause you.”
Home Depot’s email states that “in all likelihood, this event will not impact you,” but warns affected customers “be on the alert” for phony emails requesting personal or sensitive information.
Home Depot initially disclosed the email theft as part of its ongoing investigation into the data breach.
Home Depot said that the hackers used a third-party vendor's user name and password to “enter the perimeter” of Home Depot's network. The hackers then used that access to acquire “elevated rights” that allowed them to navigate portions of Home Depot's network and to deploy “unique, custom-built malware” on Home Depot’s self-checkout systems in the U.S. and Canada.
The final cost of the breach is unknown, but the breach as already cost credit unions nearly $60 million.
Home Depot said last week that the malware used in the attack had not been seen in any prior attacks and was designed specifically to evade detection by antivirus software. The company also said that the hackers’ “method of entry” has been closed off and the malware has been eliminated from the company’s systems.
Below is the full text of Home Depot’s email to the affected customers.
Dear Valued Customer,
The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.
In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.
Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.
Sincerely,
The Home Depot