Home Supply Retailer Must Also Implement Several Cybersecurity Protocols
The Home Depot on Tuesday reached a $17.5 million settlement in a class-action lawsuit stemming from a 2014 data breach that compromised the payment card data of 40 million of the retailer’s customers, according to the South Carolina Attorney General’s Office.
The settlement includes 46 states and Washington, D.C., and stems from an incident that happened between April 10 and Sept. 13, 2014, when fraudsters planted credit card skimming malware with Home Depot’s network to steal customer payment data, according to the South Carolina officials. In addition to the financial component of the settlement, the company agreed to implement specific cybersecurity measures to safeguard the personal information of its customers.
“This settlement serves to promote fair but rigorous compliance with state laws, which require businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures to protect consumers’ information from unlawful use or disclosure,” South Carolina Attorney General Alan Wilson says.
Home Depot has now created a $13 million fund to allow for payments to customers who have documented losses attributed to the breach. Customers also will have the option to receive 18 months of free credit monitoring, Wilson’s office says.
A Home Depot spokesperson told Information Security Media Group: “We’re glad to put this matter behind us and continue to focus on serving our customers.”
The company says security has always been a top priority, and since the data breach happened it has “invested heavily to further secure our systems,” the spokesperson adds.
Additional Security Measures
Wilson’s office notes the company will have to build upon the security measures it has already put in place since the security breach took place. As part of the settlement, The Home Depot must:
- Employ a duly qualified chief information security officer reporting to both the senior or C-level executives and board of directors regarding Home Depot’s security posture and security risks;
- Provide the resources necessary to fully implement the company’s information security program;
- Provide appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
- Finally, the company must employ specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor account management.
The Home Depot will also undergo a post-settlement review to ensure the agreed-upon details are being implemented.
The Home Depot reported the breach on Sept. 18, 2014, saying an estimated 56 million unique payment cards were compromised when an attacker’s custom-built malware was able to gain access to its payment system.
At the time, the U.S. Department of Homeland Security warned retailers that the malware – dubbed Mozart – used in the Home Depot breach was designed specifically to exploit Home Depot’s system (see:Fraud Tied to Home Depot Breach Mounting).
In October 2014, it was estimated the fallout from the data breach was starting to be felt by credit unions, which needed to shell out nearly $60 million to reissue cards, deal with fraud and cover other costs as a result of the breach (see: Home Depot Breach Cost CUs $60 Million).