Do-it-yourself Home Depot giant has confirmed a report that it was breached indicating the compromise occurred in April this year.
The US retail chain was working with law enforcement over compromise of payment terminals across stores in the country.
Chief executive of the hacked firm Frank Blake admitted the breach in a statement issued on the company website.
The retailer said the exact number of customers affected was still not clear. But a person briefed on the investigation said the total number of credit card numbers stolen at Home Depot could top 60 million. By comparison, the breach last year at Target, the largest known attack to date, affected 40 million cardholders.
The breach may have affected any customer at Home Depot stores in the United States and Canada from April to early last week, said Paula Drake, a company spokeswoman. Customers at Home Depot’s Mexico stores were not affected, nor were online shoppers at HomeDepot.com. Personal identification numbers for debit cards were not taken, she said.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred,” Blake said.
“We apologise for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue”.
The statement says there is no evidence that debit card PINs were compromised and that the investigation was “focused on April forward”.
Online crime reporter Brian Krebs broke the story last week based on insights from unnamed fraud experts working at US banks.
Sources close to the investigation told the reporter an upgraded variant of the BlackPOS malware was behind the home depot hacked accounts.