US retailer Home Depot has said that nearly 56 million payment cards were likely compromised in a five-month-long cyber attack on its payment terminals, suggesting the data theft was larger than the unprecedented holiday attack on Target.
The home improvement chain, providing clues to how much the breach will cost, said in a statement that it had estimated costs of $62m (£38n, €48m) but hinted that expenses could rise.
Of that estimate, which covers costs for credit monitoring, increased call centre staffing, legal and professional services and federal investigations, Home Depot said that $27m could be paid for by insurers.
But the company said it had not yet estimated the impact of "probable losses" related to the breach.
Home Depot also said it had revised its earnings estimate for its fiscal year ending February to $4.54 per share from $4.52.
The guidance includes a pre-tax gain of about $100m from the sale of 3.6 million common shares of HD Supply.
But the company left its outlook for sales growth for the year at 4.8%.
Home Depot said: "Costs related to the breach may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs; liabilities related to the company's private label credit card fraud and card reissuance; liabilities from current and future civil litigation, governmental investigations and enforcement proceedings; future expenses for legal, investigative and consulting fees; and incremental expenses and capital investments for remediation activities.
"Those costs may have a material adverse effect on The Home Depot's financial results in the fourth quarter and/or future periods."
Chief Executive Frank Blake said: "We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges.
"From the time this investigation began, our guiding principle has been to put our customers first, and we will continue to do so."
In April, America's largest arts and crafts retailer, Michaels Stores, reported a security breach.
The firm said that about 2.6 million customer credit and debit cards used at its stores may have been affected in the breach.
The firm also said that its subsidiary Aaron Brothers had been attacked, exposing information on an additional 400,000 cards.
In January, retailer Neiman Marcus revealed that it had been a victim of a cyber attack.
Retailer Target suffered costs of $148m related to its data breach, after hackers stole at least 40 million credit and debit cards numbers.