Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Home Depot Settles 2014 Breach Lawsuit for $17.5 Million

Home Supply Retailer Must Also Implement Several Cybersecurity Protocols
Home Depot Settles 2014 Breach Lawsuit for $17.5 Million

The Home Depot on Tuesday reached a $17.5 million settlement of a multistate lawsuit stemming from a 2014 data breach that compromised the payment card data of 40 million customers, according to the South Carolina attorney general's office.

See Also: Global Threat Report 2024: Executive Summary

The settlement, which involves 46 states and Washington, D.C., stems from the breach that happened between April 10 and Sept. 13, 2014, when fraudsters planted credit card skimming malware in Home Depot's network to steal customer payment data. In addition to the financial component of the settlement, the company agreed to implement specific cybersecurity measures to safeguard the personal information of its customers.

"This settlement serves to promote fair but rigorous compliance with state laws, which require businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures to protect consumers' information from unlawful use or disclosure," South Carolina Attorney General Alan Wilson says.

Home Depot has created a $13 million fund to allow for payments to customers who have documented losses attributed to the breach. Customers also will have the option to receive 18 months of free credit monitoring, Wilson's office says.

A Home Depot spokesperson tells Information Security Media Group: "We're glad to put this matter behind us and continue to focus on serving our customers." Since the breach, the company has "invested heavily to further secure our systems," the spokesperson adds.

Additional Security Measures

Wilson's office notes the company will have to build upon the security measures it has already put in place since the security breach happened. As part of the settlement, The Home Depot must:

  • Employ a CISO reporting to both senior executives and the board of directors;
  • Provide the resources necessary to fully implement the company's information security program;
  • Provide appropriate security awareness and privacy training to all personnel who have access to the company's network or responsibility for U.S. consumers' personal information;
  • Implement security safeguards, including logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor account management.

The Home Depot will also undergo a post-settlement review to ensure the agreed-upon details are being implemented.

Meaningless Mandates?

Todd Rowe, an attorney with Tressler LLP of Chicago who specializes in insurance and privacy issues, says that Home Depot has likely already implemented many of these changes. For example, in 2019, it hired Stephen Ward as CISO and named him to the board of directors.

"If a company like Home Depot didn't have these security measures in place by 2020, it would be pretty negligent," Rowe says, calling the $17.5 million settlement "paltry."

But the attorney general's offices in the 46 states see the settlement as a way to put corporations on notice.

"Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk," New York Attorney General Letitia James said after the agreement was announced Tuesday. "My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information."

A Major Breach

The big-box retailer reported the breach on Sept. 18, 2014, saying an estimated 56 million payment cards were compromised when an attacker's custom-built malware gained access to its payment system.

At the time, the U.S. Department of Homeland Security warned retailers that the malware - dubbed Mozart - was designed to exploit Home Depot's system (see: Fraud Tied to Home Depot Breach Mounting).

Managing Editor Scott Ferguson contributed to this report.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.