Security news that informs and inspires

Home Depot Settles With States Over 2014 Data Breach


The effects of a data breach linger long after the actual incident has been dealt with. Home Depot was breached back in 2014—and the company is still dealing with investigations and litigation over the breach, six years later.

The home improvement giant reached a $17.5 million settlement with 46 states and Washington, DC to resolve the investigation into the data breach that compromised the payment information of 40 million customers who used self-checkout terminals at its stores in the United States and Canada. Attackers had infiltrated Home Depot’s network using a vendor’s login credentials and deployed custom point-of-sale malware to skim payment card information between April 10 and Sept. 13, 2014. Under the terms of the agreement, Home Depot did not admit liability but agreed to implement specific security measures.

Companies that collect sensitive personal information from customers “have an obligation to protect that information from unlawful use or disclosure,” Connecticut Attorney General William Tong said in a statement. “Home Depot failed to take those precautions.”

The amount of money in the settlement agreement seems very small, especially since Home Depot has already spent more than $180 million to settle investigations and cases over the last few years. The company agreed to pay $27 million to the financial institutions affected by the data breach (March 2017), reportedly paid $134 million to Visa, MasterCard, and other banks, and settled with individuals who had been harmed by the breach for at least $19.5 million. The settlement with consumers included a $13 million cash fund as well as $6 million in credit monitoring services. The true total cost of the data breach for Home Depot is likely to be greater than $200 million (and counting), as it would include legal fees, other payouts, and the initial costs of remediating the breach.

For the states who were part of the investigation and the agreement, the true impact of the settlement agreement seems to be more about the security conditions Home Depot agreed to, including employing a chief information security officer who reports directly to the board of directors and senior executives, and providing security training to all workers with access to the company network or access to customer information. The agreement also requires Home Depot to implement security safeguards with respect to logging and monitoring, access controls, encryption, password management, two-factor authentication, file integrity monitoring, firewalls, penetration testing, risk assessments, and intrusion detection.

Finally, Home Depot is expected to create a security-control framework, track and manage its data security risk assessments using a risk-exception process, and conduct annual reviews of service providers and vendors that have access to payment card information. Home Depot is expected to undergo a post-settlement information security assessment to evaluate how well it had implemented the information security program and whether it met the provisions in the agreement.

"This settlement serves to promote fair but rigorous compliance with state laws, which require businesses that collect or maintain sensitive personal information to implement and adhere to reasonable procedures to protect consumers' information from unlawful use or disclosure," South Carolina Attorney General Alan Wilson said in a statement.

Several of the provisions in the agreement are conditions Home Depot had already agreed to in past agreements. Other items are obvious security measures that any company should already have in place, in 2020, especially an organization of Home Depot’s size. Home Depot said in a statement that since 2014, it had “invested heavily to further secure our systems.” Home Depot had already hired a CISO, established a data security and privacy governance committee to provide the board with regular reports, and adopted the National Institute of Standards and Technology’s Cybersecurity Framework.

“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts Attorney General Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”

The multistate agreement is important because it reinforces the security activities that should be considered the bare minimum for organizations holding payment card data. "Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk," New York Attorney General Letitia James said in a statement.