More than two weeks after Home Depot's cyber-attack was first discovered, the retailer said today that the payment data breach exposed 56 million credit and debit cards.
The company said the breach has been contained and the malware responsible eliminated.
The malware was custom-built to evade detection and, contrary to earlier reports, had not been seen in other breaches, the company said.
The Secret Service said it is "still an ongoing investigation."
The breach eclipsed that of Target last year, which affected about 40 million credit and debit cards.
Like Target, Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store beginning in April 2014.
Home Depot promised “significant new protection for customers” in a statement released today, at a cost of $62 million. The attack, which is now confirmed to have lasted from April to September, was conducted with custom-built malware to evade detection, Home Depot said.
The company has 2,266 retail stores globally, including the U.S., Guam, Canada and Mexico.
Home Depot claims there's "no evidence that debit PIN numbers were compromised" or that the breach affected customers who shopped online.
The investigation into the breach began September 2 after the company received reports from law enforcement and banks.