Major Retailer Reaches a Multimillion Dollar Settlement with State Attorneys General over Data Breach

Home Depot reached a $17.5 million settlement with 45 states and the District of Columbia resolving a multistate investigation into its 2014 data breach.

The breach occurred when hackers gained access to the company’s network and deployed malware on its self-checkout point-of-sale system. They initially used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network and then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the United States and Canada.

The malware allowed hackers to obtain the payment card information of customers who used self-checkout lanes between April and September of 2014. The breach exposed personal information of approximately 40 million Home Depot customers throughout the United States.

In 2013, a similar cyberattack was carried out against another major retailer Target, when its point-of-sale systems were infected with malware designed to steal payment card data.

As part of the settlement, Home Depot will have to implement and maintain a series of data security practices aimed to protect consumers’ personal information of consumers and strengthen its information security systems.  Specific information security provisions outlined in the settlement include:

• Employing a duly qualified Chief Information Security Officer reporting to the Senior or C-level executives and Board of Directors;

• Providing resources necessary to fully implement the company’s information security program;

• Providing appropriate security awareness and privacy training to all relevant personnel;

• Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and

• Undergoing a post settlement information security assessment to evaluate the implementation of the information security program.

The Home Depot breach, which started with an unauthorized use of a third-party vendor’s credentials, is a reminder that keeping track of all vendors and managing the points of access they have into information assets is a key challenge for all organization. As marketing, product development, and IT teams partner with third parties to deliver their respective key business objectives, privacy and compliance teams must manage these third-party relationships and corresponding privacy and cybersecurity risks.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653