Home improvement chain Home Depot has finally confirmed that its payment data systems have been breached, putting the card details of tens of millions of US and Canadian customers at risk.
In a statement, the company admits that the breach could affect customers who used their cards at US and Canadian stores between April and the discovery of the attack last week.
Home Depot has not given details on what data is at risk, saying only that there is "no evidence" that debit PINs have been compromised. Customers are being offered free credit monitoring. Shoppers who used the Home Depot website and its Mexican stores are not at risk.
According to the New York Times, citing a source briefed on the investigation, as many as 60 million card numbers may have been stolen, making the breach bigger than last year's Target hack, which affected 40 million people.
Home Depot's statement comes a week after security blogger Brian Krebs first reported the breach. Krebs now says that the attack is understood to have used a new variant of the malware tapped in the Target hack.
Some Home Depot tills were infected with a new variant of the BlackPOS malware strain that steals card data swiped at infected systems running Microsoft Windows, says Krebs.
Home Depot has already committed to installing EMV technology at all US stores by the end of the year.