Residence Depot agrees to pay $ 17.5 million for multi-state settlement following the 2014 knowledge breach
On November 24, 2020, a multi-state coalition of attorneys general announced that The Home Depot, Inc. (“Home Depot”) agreed to pay $ 17.5 million and a variety of data security practices in response to a data breach of the company in 2014 The payment of $ 17.5 million will be split between the 46 participating states and the District of Colombia. We previously reported on an agreement Home Depot reached in 2017 to resolve a suspected class action lawsuit by financial institutions affected by the 2014 data breach.
The 2014 breach occurred when unauthorized persons gained access to Home Depot’s network and installed malware on the company’s self-checkout POS system, allowing the attackers to obtain payment card information from customers who had meanwhile been using self-checkout registers in Home Depot. Stores used April 10, 2014 and September 13, 2014. Approximately 56 million payment card numbers were compromised and the stolen information was used to conduct fraudulent transactions. Home Depot publicly announced the violation in September 2014.
In addition to the $ 17.5 million settlement, Home Depot agreed to implement various data security measures, including:
- Hire a qualified Chief Information Security Officer to report to both C-Suite officers or officers and the Board of Directors on Home Depot’s security posture and identified security risks;
- Ensure that the company has adequate resources to implement and maintain its information security program;
- Provide adequate security awareness and privacy training to all employees who have access to the corporate network or are otherwise responsible for processing US consumers’ personal information;
- Use specific security measures for information security related to logging and monitoring, access controls, password management, two-factor authentication, monitoring of file integrity, firewalls, encryption, risk assessments, penetration tests, detection of intruders and supplier management; and
- Perform an assessment that, in part, assesses the implementation of the information security program and controls described above by Home Depot.