Home Depot's payment data breach is the largest in history

Almost two weeks ago, Home Depot (HD 1.01%) confirmed that its payment data systems at brick-and-mortar stores in the U.S. and Canada had been breached as early as April of this year. However, apart from noting the time frame, insisting that debit PINs hadn't been leaked, and reminding consumers they won't be held liable for fraudulent charges, the home-improvement retailer said it had yet "to determine the full scope, scale, and impact of the breach."

In an update released Thursday, Home Depot estimated the cyberattack has put at risk payment information from a whopping 56 million cards. That makes it the largest payment card leak in history, putting it far ahead of the 45.6 million card numbers stolen in 2007 from TJ Maxx parent TJX, as well as the 40 million-card number theft suffered by Target (TGT 1.55%) over a three-week period late last year.

This could have been much worse
You read that right: The negative news received a lukewarm reception by the market on Friday, and shares of Home Depot actually jumped for the fifth consecutive session. So what gives?

Initial reports about the severity of the breach were somewhat exaggerated. Security blog KrebsOnSecurity -- which first reported the breach six days before Home Depot's confirmation -- said on Sept. 14 that the startling length of time the suspect malware was in place on Home Depot's payment systems meant this leak "could be many times larger than Target."

At 56 million, Home Depot's breach was indeed significantly bigger than Target's 40 million. But it certainly doesn't fall into the "many times larger" category that KrebsOnSecurity predicted. 

Also working in Home Depot's favor is the now seemingly commonplace nature of these breaches -- a sort of "hacker fatigue" that consumers now feel. It's fair to say the shock value of such events has abated, and card-toting customers simply aren't as paranoid as they were when the Target theft occurred. Of course, it didn't help that later reports noted that Target had abandoned a 2001 decision to adopt "Chip and PIN" card technology, which could have helped it avoid -- or, at the very least, minimize -- the entire debacle in the first place.

On PINs and needles
The reports on Target's card technology lapse is a stark contrast to Home Depot's response to its breach.

The company assured customers it has already completed the rollout of new point-of-sale data encryption technology at all of its U.S. locations -- a project Home Depot said actually started in January of this year -- and will finish with Canadian locations by early 2015. What's more, Home Depot also began implementing the Chip and PIN technology in early 2013. In fact, it already exists at all Home Depot Canada locations, and the company expects to complete the process in the U.S. by the end of this year.

All told, according to Home Depot, these projects required replacing almost 85,000 PIN pads in stores and writing tens of thousands of new lines of software code. But in the end, Home Depot's pre-emptive efforts to implement Chip and PIN could prove key in minimizing the fallout. 

Timing is everything
There's also the matter of seasonality. Target's painful event unfolded in mid-December last year, which was right in the thick of its all-important holiday season. Sure enough, the big-box retailer significantly lowered its financial guidance only a few weeks later, blaming "meaningfully weaker-than-expected sales since the announcement."

Home Depot replaced 85,000 PIN pads in stores.

But Home Depot typically enjoys its strongest sales during the already-completed summer months. Perhaps it should come as no surprise, then, that Home Depot also reaffirmed its previous fiscal 2014 guidance for sales to grow roughly 4.8%. Better yet, it even raised its fiscal 2014 earnings guidance by $0.02 per share to $4.54, representing 21% growth over last year -- albeit partially thanks to a pre-tax gain of $100 million related to the sale of 3.6 million shares of HD Supply common stock during the quarter.

That's not to say Home Depot is completely off the hook. The guidance also includes estimated gross expenses of $62 million to cover the estimated cost of its investigation, credit monitoring services to customers, increased call center staffing, and initial legal and professional services related to the event. That cost will be partially offset by a $27 million insurance receivable, according to the Home Depot release.

Home Depot also admitted it can't yet estimate future costs related to the breach. And make no mistake: Those amounts could be significant, considering that Target has already accrued net breach-related expenses of $146 million so far this year, including $111 million in the last quarter alone.

But future costs notwithstanding, it seems Home Depot has done an admirable job so far of handling the largest card payment data breach in history. In the end, that speaks volumes about just how resilient the home-improvement juggernaut has become.