Home Depot has reached a $17.5m settlement with 46 US states and Washington, D.C. regarding its 2014 data breach.
In the breach, the payment card data of 40 million customers was accessed by attackers between April 10 and September 13. That breach, which was uncovered by Brian Krebs, was reportedly the largest retail card breach on record at the time, estimated to have impacted around 56 million individuals.
Later, staff criticized the company’s attitude to security, and it was revealed that attackers used the username and password of a third-party vendor to enter the perimeter of the Home Depot network. They later deployed custom-built malware to access customers’ information.
It was also revealed that at least 52 million people had their email addresses exposed, partially overlapping those whose payment card data was compromised.
According to Reuters, Home Depot did not admit liability in agreeing to the settlement, but will comply with the following specific information security provisions:
- Employing a duly qualified CISO reporting to both the senior or C-level executives and board of directors regarding Home Depot’s security posture and security risks
- Providing resources necessary to fully implement the company’s information security program
- Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for US consumers’ personal information
- Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection and vendor account management
- Consistent with previous state data breach settlements, the company will undergo a post-settlement information security assessment which, in part, will evaluate its implementation of the agreed upon information security program
In a statement, Home Depot said security is a top priority and that it has since 2014 “invested heavily to further secure our systems. We’re glad to put this matter behind us.”
Companies that collect sensitive personal information from customers “have an obligation to protect that information from unlawful use or disclosure,” Connecticut attorney general William Tong said in a statement. “Home Depot failed to take those precautions.”
Michigan attorney general Dana Nessel added: “I am pleased with this settlement as it sets procedures in place that The Home Depot must follow to further protect consumers’ interests and provide them peace of mind as they shop.”
Jake Moore, cybersecurity specialist at ESET, said: “Punishing huge companies must set a precedent but we don’t want to see any company forced out of business for a mistake which may have been out of their control.
“Data breaches happen in a variety of ways and many could have been avoided with best practice, simulation attacks and better staff training. However, many are simply unavoidable and bad luck which do not require much more punishment other than the negative publicity they will no doubt attract. Maybe if the fines were reduced if companies were more open about how they were breached, we may see a change in how they [breaches] are reported and penalized.”