The nation's biggest home improvement retailer said Tuesday in a regulatory filing that several state and federal agencies also are looking into the data breach and the company may face more litigation from customers, banks, shareholders and others.
Home Depot said the litigation and the investigations may distract management and affect how it runs its business. It also could lead to additional costs and fines. But those expenses aren't clear yet because the cases are in early stages, the company said in a quarterly filing with the Securities and Exchange Commission.
The company said after announcing third-quarter earnings this month that it anticipates a fourth-quarter breach-related expense of about $27 million, but only about $6 million after insurance.
Home Depot has a $100-million insurance policy for breach-related expenses. That comes with a $7.5-million deductible.
The Atlanta-based retailer disclosed the months-long breach of data in September. It has said that the hackers initially accessed its network in April with a third-party vendor's user name and password. Hackers then deployed malware on Home Depot's self-checkout systems to gain access to the card information of customers who shopped at its U.S. and Canadian stores between April and September.
Home Depot's breach surpassed Target's pre-Christmas 2013 data theft, which compromised 40 million credit and debit cards and hurt sales and profits. Since late last year, Michaels, SuperValu and Neiman Marcus have been among a string of retailers that have also reported breaches, though they were smaller.
Home Depot has since said that hackers also stole 53 million email addresses.
The company said in its filing Tuesday that it has completed a major security improvement. Its new security scrambles raw card information to make it unreadable to unauthorized users.
The security project has been completed in U.S. stores, and Home Depot expects to do the same for its Canadian locations early next year.