Home Depot to Pay $27.25m in Latest Data Breach Settlement

In the latest settlement of legal claims arising out of a massive 2014 data breach at Home Depot, the retailer has agreed to pay $27.25 million to affected financial institutions.

Illustrating the real-world impact of poor security practices, a two-and-a-half-year-old data breach is ultimately going to cost the DIY purveyor as much as $179 million, and possibly much more once legal fees and any other undisclosed payouts are taken into account.

The 2014 incident, which is the largest point-of-sale heist of all time, as well as the biggest credit-card compromise ever seen, affected 56 million different pieces of plastic. Now, banks that file valid claims will get $2 per compromised payment card without having to prove their losses, even if they have received compensation from another source. Those that can prove their losses may get an additional “documented damages award” of up to 60% of their uncompensated costs, according to the settlement documents.

“Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards,” Jim Nussle, chief executive of the Credit Union National Association. “This settlement would be a step toward making them whole again.”

As part of this latest settlement, Home Depot also agreed to track and manage its data security risk assessments using a risk-exception process, conduct annual reviews of service providers and vendors that have access to payment card information, and create a security-control framework. Last year, the retailer also agreed to hire a chief information security officer (CISO), and said that it now applies enhanced encryption to payment card data.

Previously, Home Depot has paid at least $134.5 million in compensation to Visa, MasterCard and various banks. And, on the consumer front, more than 50 lawsuits were consolidated into two class action suits, with the plaintiffs last year awarded $19 million. Of that, $13 million was to reimburse victims for their losses, and $6.5 million to provide them with one and a half years of identity protection services.

The cyber-criminal gang which launched the attack used custom-built malware to lift payment card information from the PoS terminals at self-check-out lanes in the US and Canada. And the crooks did just that—from April to September 2014, when the compromise was finally detected.

Along with the payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information, but phishing scams became a very real danger.

Security professionals agree that most certainly a result of poor IT practices within the company. Showcasing poor network sequestration and vetting processes, the goods were lifted from its network due to stolen credentials from a third-party vendor. The stolen user name and password alone did not provide direct access to the company's point-of-sale devices, but the hackers then were able to acquire elevated rights that allowed them to navigate to other portions of Home Depot's network and, eventually, to deploy the unique malware.

Home Depot isn’t alone in blaming the supply chain for their breach. In 2015, Target agreed to pay $10 million in a settlement over a data breach it suffered in 2013 that affected 40 million cards. In that case, the criminals used compromised HVAC vendor credentials.

What’s Hot on Infosecurity Magazine?