Hardware chain settles widespread data breach in which customers’ sensitive information was compromised.
Home Depot announced it will pay out $17.5 million to settle a data breach lawsuit with 46 states claiming to have been impacted. Hackers used a vendor’s username and password to access the home improvement store’s network and deployed malware to compromise customer payment information. The breach exposed card information of approximately 40 million Home Depot consumers nationwide, according to court records. Home Depot agreed to roll out additional data security practices, as well, including providing resources and training and employing a Chief Information Security Officer.
Brian Krebs, a security reporter, wrote he suspected the same malware that hacked the accounts of Target customers compromised Home Depot’s network. He stated, “At least some of Home Depot’s store registers were infected by a new variant of a malware strain known as BlackPOS, the same type of malware found on point-of-sale systems at Target in last year’s attack.”
“We don’t really know how it happened, but it sounds like possibly an internal error,” added Chloé Messdaghi, VP of Strategy, Point3 Security. “If one of those emails landed in the hands of an attacker, it’s like early Christmas for them. Any attacker would otherwise have to pay big money for real time data on actual orders. Home Depot really needs to get in front of this immediately to beat attackers to the punch. They need to let their consumers know what to do next – and to be especially aware that bad actors may be calling, emailing or texting, displaying the last few digits of their card and recent orders, and asking these consumers to click through to links that will extract valuable information from them, drop ransomware or other malware, or do other damage. Merely reporting a breach without informing consumers of attacks they might expect and how to avoid them is like diagnosing a treatable illness but withholding possible treatments. It’s potentially cyber malpractice.”
“The Home Depot might have the right hardware for customers but, in this case, it lacked the necessary tools to protect their information,” Ohio Attorney General Dave Yost, whose state will receive $656.210, said.
“This settlement ensures that businesses, like Home Depot, take the necessary steps to appropriately safeguard consumer data,” Kentucky Attorney General Daniel Cameron, whose state will receive $188,570, said.
“Companies that collect sensitive personal information from customers have an obligation to protect that information from unlawful use or disclosure,” Connecticut Attorney General William Tong said. “Home Depot failed to take those precautions.”
Home Depot had originally announced, “We want you to know that we have now confirmed that those systems have in fact been breached, which could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward.” Following the settlement, the chain released a statement saying, “Security is a top priority” and that it “has since 2014 invested heavily to further secure our systems. We’re glad to put this matter behind us.”