Home Depot Settles 2014 Breach Lawsuit for $17.5 MillionHome Supply Retailer Must Also Implement Several Cybersecurity Protocols
The Home Depot on Tuesday reached a $17.5 million settlement of a multistate lawsuit stemming from a 2014 data breach that compromised the payment card data of 40 million customers, according to the South Carolina attorney general's office.
The settlement, which involves 46 states and Washington, D.C., stems from the breach that happened between April 10 and Sept. 13, 2014, when fraudsters planted credit card skimming malware in Home Depot's network to steal customer payment data. In addition to the financial component of the settlement, the company agreed to implement specific cybersecurity measures to safeguard the personal information of its customers.
"This settlement serves to promote fair but rigorous compliance with state laws, which require businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures to protect consumers' information from unlawful use or disclosure," South Carolina Attorney General Alan Wilson says.
Home Depot has created a $13 million fund to allow for payments to customers who have documented losses attributed to the breach. Customers also will have the option to receive 18 months of free credit monitoring, Wilson's office says.
A Home Depot spokesperson tells Information Security Media Group: "We're glad to put this matter behind us and continue to focus on serving our customers." Since the breach, the company has "invested heavily to further secure our systems," the spokesperson adds.
Additional Security Measures
Wilson's office notes the company will have to build upon the security measures it has already put in place since the security breach happened. As part of the settlement, The Home Depot must:
- Employ a CISO reporting to both senior executives and the board of directors;
- Provide the resources necessary to fully implement the company's information security program;
- Provide appropriate security awareness and privacy training to all personnel who have access to the company's network or responsibility for U.S. consumers' personal information;
- Implement security safeguards, including logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor account management.
The Home Depot will also undergo a post-settlement review to ensure the agreed-upon details are being implemented.
Todd Rowe, an attorney with Tressler LLP of Chicago who specializes in insurance and privacy issues, says that Home Depot has likely already implemented many of these changes. For example, in 2019, it hired Stephen Ward as CISO and named him to the board of directors.
"If a company like Home Depot didn't have these security measures in place by 2020, it would be pretty negligent," Rowe says, calling the $17.5 million settlement "paltry."
But the attorney general's offices in the 46 states see the settlement as a way to put corporations on notice.
"Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk," New York Attorney General Letitia James said after the agreement was announced Tuesday. "My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information."
A Major Breach
The big-box retailer reported the breach on Sept. 18, 2014, saying an estimated 56 million payment cards were compromised when an attacker's custom-built malware gained access to its payment system.
At the time, the U.S. Department of Homeland Security warned retailers that the malware - dubbed Mozart - was designed to exploit Home Depot's system (see: Fraud Tied to Home Depot Breach Mounting).
Managing Editor Scott Ferguson contributed to this report.