That’s in addition to the 56 million payment card numbers criminals acquired in an attack the retailer previously disclosed. Hackers penetrated the network using a vendor’s user name and password.

Nov. 7 (Bloomberg) — Home Depot Inc., which suffered a data breach between April and September, said 53 million e-mail addresses were taken by hackers during the attack, in addition to the 56 million payment cards that were previously disclosed.

Home Depot also said that the criminals used a third-party vendor’s user name and password to reach the perimeter of its network, then gained additional rights to navigate the company’s systems. Hackers used custom-built software on Home Depot’s self-checkout terminals in the U.S. and Canada to access customer data, according to a statement yesterday.

“Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony e-mails,” the Atlanta-based company said.

Home Depot, which first acknowledged the attack in September, has become one of the biggest victims of hackers’ war on retailers. The world’s largest home-improvement chain has said it expects to pay about $62 million this year to recover from the incursion, including additional costs for call-center staffing and legal expenses. Insurance will cover $27 million of that tab, the company said.

The latest information stemmed from weeks of work by investigators, who are cooperating with law enforcement and information-technology experts, Home Depot said. The e-mail data that was stolen didn’t include passwords or other sensitive information, the company said.


Home Depot is No. 16 in the Internet Retailer Top 500 Guide.

New Malware

Home Depot began investigating the breach on Sept. 2, immediately after banking partners and law enforcement raised alarms that its systems may have been infiltrated. The malicious software used in the breach hadn’t been seen in previous attacks and was designed to evade detection by anti-virus software, the company has said. The vulnerability has been closed off, and Home Depot has eliminated the malware from its systems.

A third-party vendor was also the root of Target Corp.’s breach last year, when hackers stole about 40 million payment card numbers at the height of the holiday season.

So far, Home Depot has weathered its breach more smoothly than Target, which suffered a decline in sales and was reprimanded by lawmakers. Home Depot yesterday reiterated its financial targets for 2014, saying sales will grow about 4.8% and earnings will climb 21% to $4.54 a share.


The shares fell 0.2% to $97.09 at 10:19 a.m. in New York. The stock had climbed 18% this year through yesterday, outpacing the Standard & Poor’s 500 Index’s 9.9% gain.

The company is bolstering the security in all its U.S. stores, including encrypting more data and adding chip-and-PIN technology. Home Depot has almost 2,300 retail stores.