Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Home Depot Agrees to $17.5 Million Settlement With States Over 2014 Data Breach

Home Depot has agreed to shell out  $17.5 million under a settlement with the attorney generals of 46 states and the District of Columbia over the massive data breach suffered by the home improvement retailer in 2014, when cybercriminals managed to steal email addresses and payment card data belonging to more than 40 million customers in the United States.

Home Depot has agreed to shell out  $17.5 million under a settlement with the attorney generals of 46 states and the District of Columbia over the massive data breach suffered by the home improvement retailer in 2014, when cybercriminals managed to steal email addresses and payment card data belonging to more than 40 million customers in the United States.

In September 2014, Home Depot revealed that cybercriminals had access to the company’s systems between April and September 2014. The attackers used custom-built malware to steal payment cards and other customer data without being detected.

According to the Massachusetts Attorney General website, Home Depot agreed to the following information security provisions, many of which were previously agreed to in other settlements.

• Employing a duly qualified Chief Information Security Officer reporting to both senior or C-level executives and the Board of Directors regarding The Home Depot’s security posture and security risks;

• Providing resources necessary to fully implement the company’s information security program;

• Providing appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;

• Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and

Advertisement. Scroll to continue reading.

• Consistent with previous state data breach settlements, undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.

“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts Attorney General Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”

In March 2017, Home Depot agreed to pay $25 million to the financial institutions affected by the data breach, and reportedly paid out more than $134 million to Visa, MasterCard and other financial organizations. In 2016, the company also agreed to pay at least $19.5 million to settle charges, including for reimbursements and identity protection services. Overall, the data breach has cost Home Depot upwards of $200 million, according to SecurityWeek’s calculations.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.