Security vendors always warn that the cost of fixing an IT breach can be costly. Sometimes organizations dismiss this as self-serving. Well, here’s a real-world example: Home Depot has spent US$43 million in its most recent quarter to fix the problem — and the bills will likely keep coming.
The explanation comes in the company’s latest financial filings with the U.S. Securities and Exchange Commission describing the fallout from the theft of 56 million payment card details and 53 million email addresses of customers in Canada and the U.S.
The intruder “used a vendor’s user name and password to enter the perimeter of the company’s network,” the filing said. After acquiring “elevated rights that allowed it to navigate portions of the company’s network,” unique, custom-built malware was deployed on self-checkout systems to access payment card information of customers who shopped at its U.S. and Canadian stores between April and September.
Home Depot “has completed a major payment security project that provides enhanced encryption of payment card data at the point of sale” in all U.S. stores. Enhanced encryption for Canadian stores will be completed by early 2015. The company is also rolling out EMV chip-and-PIN technology in its U.S. stores, the filing said which adds extra layers of payment card protection for customers. Canadian stores are already enabled with EMV chip-and-PIN technology.
The US$43 million includes costs to investigate the breach; provide identity protection services, including credit monitoring, to impacted customers; increase call centre staffing; and pay legal and other professional services.
Home Depot also thinks it’s likely that payment card networks will make claims to cover they or their issuing banks are paying for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) if the company wasn’t complying with applicable data security standards.
A wrinkle: “Although an independent third-party assessor found the portion of the company’s network that handles payment card data to be compliant with applicable data security standards in the fall of 2013,” the filing says, “the process of obtaining such certification for 2014 was ongoing at the time of the data breach.” So those suing may claim that the company was not in compliance with those standards at the time of the data breach.
Home Depot “believes that a loss in connection with these claims is reasonably possible.”
And that’s just from the payment networks. At least 44 lawsuits have already been filed in the U.S. and Canada, says the filing. More area expected. And several U.S. state and federal agencies are investigating.
So it’s no surprise the filing says the company can’t estimate yet how much it may have to pay out. Meanwhile Home Depot “expects to incur significant legal and other professional services expenses associated with the data breach.