Home Depot to pay U.S. states $17.5 million for 2014 data breach

It’s taken six years but a number of U.S. states have finally come to an agreement on financial penalties and other remedies against The Home Depot for a huge data breach in 2014.

Home Depot will have to pay 46 states and the District of Columbia $17.5 million and implement a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

The money will be divided among the states. New York, for example, will get $600,000.

“New Yorkers have every reasonable expectation that their personal financial information will remain private and protected,” Attorney General Letitia James said in a statement. “Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk. My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information.”

The breach occurred when hackers gained access to The Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. The malware allowed hackers to obtain the payment card information of customers who used self-checkout lanes at The Home Depot stores throughout the U.S. and Canada between April 10, 2014 and September 13, 2014. Some 53 million email addresses and 56 million credit and debit card details were stolen.

Ontario victims of the breach reached a  settlement with the retailer in 2016 in a class-action lawsuit.  That included creating a $250,000 settlement fund to compensate any documented losses to victims arising from the breach, up to a maximum of $5,000 per claimant Home Depot also agreed to pay for credit monitoring up to a maximum of $250,000 and to cover the costs of notifying class members and administering the fund. It also agreed to paying $400,000 in claimants legal costs.

In his decision, the judge concluded the breach was due to criminal hackers and not because of any wrongdoing by Home Depot. The retailer openly and promptly notified customers, he pointed out, and sought to lessen any potential harm arising from the breach, which resulted in little documented losses.

In the U.S., Home Depot agreed to pay some $19.5 million to U.S. customers in a class-action lawsuit.

In 2016, Home Depot released a report on its investigation of the breach saying criminals used a third-party vendor’s user name and password to enter the perimeter of its network.  These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. But the hackers managed to elevate their access rights, allowing them to move through the network and deploy custom-built malware on its self-checkout systems in the U.S. and Canada.

As part of the agreement, Home Depot will make the following changes to its security protocols, including:

  • Employing a duly qualified chief information security officer — reporting to both senior or C-level executives and the board of directors regarding The Home Depot’s security posture and security risks.
  • Providing resources necessary to fully implement the company’s information security program.
  • Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information.
  • Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management.
  • Undergoing a post-settlement information security assessment — consistent with previous state data breach settlements — that, in part, will evaluate its implementation of the agreed upon information security program.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now