Site icon IT World Canada

Home Depot to pay U.S. states $17.5 million for 2014 data breach

Gavel in court

Image from Shutterstock.com

It’s taken six years but a number of U.S. states have finally come to an agreement on financial penalties and other remedies against The Home Depot for a huge data breach in 2014.

Home Depot will have to pay 46 states and the District of Columbia $17.5 million and implement a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

The money will be divided among the states. New York, for example, will get $600,000.

“New Yorkers have every reasonable expectation that their personal financial information will remain private and protected,” Attorney General Letitia James said in a statement. “Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk. My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information.”

The breach occurred when hackers gained access to The Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. The malware allowed hackers to obtain the payment card information of customers who used self-checkout lanes at The Home Depot stores throughout the U.S. and Canada between April 10, 2014 and September 13, 2014. Some 53 million email addresses and 56 million credit and debit card details were stolen.

Ontario victims of the breach reached a  settlement with the retailer in 2016 in a class-action lawsuit.  That included creating a $250,000 settlement fund to compensate any documented losses to victims arising from the breach, up to a maximum of $5,000 per claimant Home Depot also agreed to pay for credit monitoring up to a maximum of $250,000 and to cover the costs of notifying class members and administering the fund. It also agreed to paying $400,000 in claimants legal costs.

In his decision, the judge concluded the breach was due to criminal hackers and not because of any wrongdoing by Home Depot. The retailer openly and promptly notified customers, he pointed out, and sought to lessen any potential harm arising from the breach, which resulted in little documented losses.

In the U.S., Home Depot agreed to pay some $19.5 million to U.S. customers in a class-action lawsuit.

In 2016, Home Depot released a report on its investigation of the breach saying criminals used a third-party vendor’s user name and password to enter the perimeter of its network.  These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. But the hackers managed to elevate their access rights, allowing them to move through the network and deploy custom-built malware on its self-checkout systems in the U.S. and Canada.

As part of the agreement, Home Depot will make the following changes to its security protocols, including:

Exit mobile version