Home Depot store Reuters

US retailer Home Depot has confirmed its payment security systems have been hacked, and the company apologised to its customers for the data breach, which is expected to rival Target Corp's massive breach in 2013.

The company had disclosed that it was investigating a possible breach of its payment data systems, after it received reports from its banking partners and law enforcement.

"We want you to know that we have now confirmed that those systems have in fact been breached, which could potentially impact any customer that has used their payment card at our US and Canadian stores, from April forward," the company said in a statement on its website.

"We apologise for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue," said Frank Blake, chairman and CEO.

"We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It's important to emphasise that no customers will be responsible for fraudulent charges to their accounts."

The company added there is no evidence that debit PIN numbers were compromised, and that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.

Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on. The company earlier promised that it will roll out chip-and-pin enabled cards to all US stores by the end of 2014.

The retailer operates 1,977 stores in the US and 180 in Canada.

The breach was first reported by security website KrebsOnSecurity, which said the hacking attack could affect all of Home Depot's 2,200 stores in the US.

Brian Krebs, who runs the security website, earlier said the data theft could be larger than that of Target, which lost at least 40 million payment card numbers along with other important customer data in 2013. He also noted that Home Depot was attacked by a variant of the same malware that compromised Target's systems.