Home Depot POS breach

On 8 September 2014, The Home Depot confirmed it was investigating a breach of its payment systems. By 18 September the home-improvement retailer disclosed that about 56 million payment cards had been compromised across its U.S. and Canadian stores — the largest retail card breach of its time, surpassing the 2013 Target intrusion and the 2005 TJX breach.

What happened

The attackers gained their initial foothold using login credentials stolen from a third-party vendor. From that beachhead they moved into Home Depot's corporate network and ultimately onto the self-checkout point-of-sale (POS) systems, which were less directly supervised than staffed registers.

On those terminals the intruders installed custom point-of-sale malware — widely reported as a variant of the BlackPOS / FrameworkPOS family — designed to scrape unencrypted payment-card data from device memory at the moment a card was swiped. The malware operated from approximately April through September 2014, roughly five months, before it was detected.

What was exposed

About 56 million unique payment cards (track data harvested at the POS).
Around 53 million customer email addresses, disclosed later in 2014.

Because the malware captured card data in memory before encryption, even cards processed through ostensibly secure terminals were exposed.

Impact

The breach cost Home Depot an estimated $179 million in settlements and related expenses, including:

A $134.5 million settlement with payment-card networks and issuing banks for fraud and card-reissuance costs, plus additional payments to credit unions.
A consumer class-action settlement and identity-protection services.
A $17.5 million multistate settlement in November 2020 with 46 U.S. states and the District of Columbia.

In response, Home Depot accelerated deployment of point-to-point encryption (using Voltage Security) across U.S. stores and adopted EMV chip-card terminals.

Why it matters

Home Depot, coming less than a year after the Target breach, hammered home two lessons for retail security. First, third-party vendor access is a primary attack path — the same vector that compromised Target — and must be tightly segmented and monitored. Second, POS systems that handle card data in unencrypted memory are inherently exposed; the incident accelerated the U.S. retail industry's shift to point-to-point encryption and EMV chip cards, which scramble card data end-to-end and render scraped magnetic-stripe data far less useful to fraudsters.

Timeline

April 1, 2014

Attackers use credentials stolen from a third-party vendor to enter Home Depot's network and deploy custom point-of-sale malware on self-checkout systems.

2014-04 / 2014-09

Over roughly five months the malware scrapes payment-card data from terminals across U.S. and Canadian stores.

September 2, 2014

Security journalist Brian Krebs reports a likely breach after banks trace fraudulent charges to cards used at Home Depot.

September 8, 2014

Home Depot publicly confirms it is investigating a potential breach of its payment systems.

September 18, 2014

Home Depot confirms about 56 million payment cards were compromised and says the malware has been removed and enhanced encryption deployed.

November 1, 2014

Home Depot discloses that around 53 million customer email addresses were also stolen.

November 24, 2020

Home Depot agrees to a $17.5 million settlement with 46 states and the District of Columbia over the breach.

Sources

krebsonsecurity.comhttps://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/

securityweek.comhttps://www.securityweek.com/home-depot-says-56-million-payment-cards-compromised-data-breach/

sec.govhttps://www.sec.gov/Archives/edgar/data/0000354950/000035495014000036/hd_8kx09182014.htm

texasattorneygeneral.govhttps://www.texasattorneygeneral.gov/news/releases/ag-paxton-announces-175-million-settlement-home-depot-regarding-data-breach

Related incidents

RansomwareRansom paidJune 18, 2024

CDK Global BlackSuit ransomware (2024)

BlackSuit operators encrypted CDK Global's dealer-management platform, knocking ~15,000 North American car dealerships offline for nearly two weeks. A second attack hit on day two of recovery. Industry losses estimated at over $1 billion; CDK reportedly paid a $25 million ransom.

Victim: CDK Global
Loss: $1.00B

RansomwareRansom paidMay 30, 2021

JBS Foods REvil ransomware

REvil affiliates encrypted the world's largest meat processor, shutting down beef and pork plants across the U.S., Canada, and Australia. JBS paid an $11 million ransom — one of the largest publicly-confirmed ransomware payments at the time.

Victim: JBS S.A. / JBS USA
Loss: $100.0M

Data breachResolvedMay 21, 2014

eBay credentials breach

Attackers used a small number of compromised employee credentials to access eBay's corporate network and exfiltrate a database covering all 145 million users — names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth.

Victim: eBay
Records: 145.0M

Data breachOngoingJune 7, 2026

Baker Distributing ShinyHunters Salesforce data-extortion leak (2026)

After negotiations stalled, the ShinyHunters extortion crew published data it claimed to have stolen from Baker Distributing's Salesforce and SharePoint systems, exposing more than 100,000 customer email addresses and contact records.

Victim: Baker Distributing Company
Records: 102.9K