Home Depot bill for cleaning up breach so far is US$43 million — and climbing

Security vendors always warn that the cost of fixing an IT breach can be costly. Sometimes organizations dismiss this as self-serving. Well, here’s a real-world example: Home Depot has spent US$43 million in its most recent quarter to fix the problem — and the bills will likely keep coming.

The explanation comes in the company’s latest financial filings with the U.S. Securities and Exchange Commission describing the fallout from the theft of 56 million payment card details and 53 million email addresses of customers in Canada and the U.S.

The intruder “used a vendor’s user name and password to enter the perimeter of the company’s network,” the filing said. After acquiring “elevated rights that allowed it to navigate portions of the company’s network,”  unique, custom-built malware was deployed on self-checkout systems to access payment card information of customers who shopped at its U.S. and Canadian stores between April and September.

Home Depot “has completed a major payment security project that provides enhanced encryption of payment card data at the point of sale” in all U.S. stores. Enhanced encryption for Canadian stores will be completed by early 2015. The company is also rolling out EMV chip-and-PIN technology in its U.S. stores, the filing said which adds extra layers of payment card protection for customers. Canadian stores are already enabled with EMV chip-and-PIN technology.
The US$43 million includes costs to investigate the breach; provide identity protection services, including credit monitoring, to impacted customers; increase call centre staffing; and pay legal and other professional services.
Home Depot also thinks it’s likely that payment card networks will make claims to cover they or their issuing banks are paying for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) if the company wasn’t complying with applicable data security standards.
A wrinkle: “Although an independent third-party assessor found the portion of the company’s network that handles payment card data to be compliant with applicable data security standards in the fall of 2013,” the filing says,  “the process of obtaining such certification for 2014 was ongoing at the time of the data breach.” So those suing  may claim that the company was not in compliance with those standards at the time of the data breach.
Home Depot “believes that a loss in connection with these claims is reasonably possible.”
And that’s just from the payment networks. At least 44 lawsuits have already  been filed in the U.S. and Canada, says the filing. More area expected. And several U.S. state and federal agencies are investigating.
So it’s no surprise the filing says the company can’t estimate yet how much it may have to pay out.  Meanwhile Home Depot “expects to incur significant legal and other professional services expenses associated with the data breach.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web