It’s taken six years but a number of U.S. states have finally come to an agreement on financial penalties and other remedies against The Home Depot for a huge data breach in 2014.
Home Depot will have to pay 46 states and the District of Columbia $17.5 million and implement a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.
The money will be divided among the states. New York, for example, will get $600,000.
“New Yorkers have every reasonable expectation that their personal financial information will remain private and protected,” Attorney General Letitia James said in a statement. “Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk. My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information.”
The breach occurred when hackers gained access to The Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. The malware allowed hackers to obtain the payment card information of customers who used self-checkout lanes at The Home Depot stores throughout the U.S. and Canada between April 10, 2014 and September 13, 2014. Some 53 million email addresses and 56 million credit and debit card details were stolen.
Ontario victims of the breach reached a settlement with the retailer in 2016 in a class-action lawsuit. That included creating a $250,000 settlement fund to compensate any documented losses to victims arising from the breach, up to a maximum of $5,000 per claimant Home Depot also agreed to pay for credit monitoring up to a maximum of $250,000 and to cover the costs of notifying class members and administering the fund. It also agreed to paying $400,000 in claimants legal costs.
In his decision, the judge concluded the breach was due to criminal hackers and not because of any wrongdoing by Home Depot. The retailer openly and promptly notified customers, he pointed out, and sought to lessen any potential harm arising from the breach, which resulted in little documented losses.
In the U.S., Home Depot agreed to pay some $19.5 million to U.S. customers in a class-action lawsuit.
In 2016, Home Depot released a report on its investigation of the breach saying criminals used a third-party vendor’s user name and password to enter the perimeter of its network. These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. But the hackers managed to elevate their access rights, allowing them to move through the network and deploy custom-built malware on its self-checkout systems in the U.S. and Canada.
As part of the agreement, Home Depot will make the following changes to its security protocols, including:
- Employing a duly qualified chief information security officer — reporting to both senior or C-level executives and the board of directors regarding The Home Depot’s security posture and security risks.
- Providing resources necessary to fully implement the company’s information security program.
- Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information.
- Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management.
- Undergoing a post-settlement information security assessment — consistent with previous state data breach settlements — that, in part, will evaluate its implementation of the agreed upon information security program.