Home Depot Inc. said Tuesday that it faces at least 44 civil lawsuits in the U.S. and Canada related to a widespread data breach at the home-improvement retailer earlier this year.
The company, which is also under investigation by several state and federal agencies, warned that the claims and probes "may adversely affect how we operate our business, divert the attention of management from the operation of the business and result in additional costs and fines," according to a filing.
Home Depot said its investigation of the breach continues, and that it is still assessing its financial and other impacts. The company said that it is possible it will identify other data that were stolen or exposed.
In a bid to prevent future attacks, Home Depot said Tuesday that it completed a project that encrypts customer credit-card data at the point of sale in all of its U.S. stores. It also expects to roll out the encryption system to its Canadian stores by early next year. Additionally, Home Depot said its U.S. stores will soon have EMV chip-and-PIN technology, which helps authenticate transactions with debit and credit cards.
The company revealed earlier this month that 53 million customers' emails were stolen in a cyberattack that had also compromised an additional 56 million customer credit-card accounts, an intrusion the retailer had previously disclosed in September.
While reporting financial results, Home Depot said last week that the breach resulted in $28 million of pretax expenses in the most recent period.
Home Depot took out a $100 million insurance policy for data-breach expenses last year before last year's hack at Target Corp., which drew widespread attention to information security during the holiday-shopping period. The company told investors that the policy covers some legal and fraud expenses, but not all related costs.
Other expenses related to the data breach may include reimbursements for credit-card fraud, credit-card reissuance, investigations and litigation, among other items, Home Depot has said. Chief Executive Craig Menear said on a conference call with analysts last week that customers wouldn't be responsible for fraudulent charges related to the breach.