NEW YORK >> Home Depot said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers.

The size of the theft at Home Depot trails only that of TJX Cos.’ heist of 90 million records disclosed in 2007. Target’s breach compromised 40 million credit and debit cards.

Home Depot, the nation’s largest home improvement retailer, said that the malware used in the data breach that took place between April and September has been eliminated.

Bruce Kim, executive director of the Hawaii Office of Consumer Protection, said the state agency doesn’t have any confirmation yet about the number of Hawaii residents who may have been affected by the breach. However, he urged Hawaii residents who may have used a payment card at Home Depot during the affected period to contact Home Depot immediately about obtaining free identity protection services, including credit monitoring.

Customers can call Home Depot at 800-466-3337 or go to www.homedepot.com.

Home Depot recently issued a statement reassuring affected shoppers that they won’t be liable for any fraudulent charges related to the breach.

Home Depot said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online. It said it has also completed a "major" payment security project that provides enhanced encryption of customers’ payment data in the company’s U.S. stores.

But unlike Target’s breach, which sent the retailer’s sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based Home Depot. Still, the breach’s ultimate cost to the company remains unknown.

Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars.

By Anne D’Innocenzio Associated Press