Home Depot said Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the U.S. and Canada since April.
There's no evidence yet that debit card PIN numbers had been compromised, the company said, though it was still figuring out the scope and scale of the attacks.
Home Depot doesn't believe people who shopped online at HomeDepot.com, or at its physical stores in Mexico, were affected, it said.
The company didn't specify what information tied to people's cards may have been compromised, and a spokeswoman declined to comment further.
Home Depot made the announcement after nearly a week-long investigation conducted with IT security firms, banking partners and the Secret Service, it said. The investigation focused on the period from April onward.
Home Depot assured customers that they won't be held responsible for fraudulent charges and said it would provide identity protection services, including credit monitoring, to any customers who used a payment card at a Home Depot store since April.
"We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," Home Depot Chairman and CEO Frank Blake said in a statement.
Home Depot began its investigation last Tuesday after receiving reports from police and banks that criminals may have hacked its payment systems.
It's the latest in a number of large retailers and businesses, such as Target and Neiman Marcus, to have been targeted by cyber criminals in the past year.
Sign up for CIO Asia eNewsletters.