After years of litigation, Home Depot has finally agreed to pay $25 million to the financial institutions affected by the company’s enormous data breach in 2014.
More than 50 million customers had either their email account or payment card information stolen after a privilege escalation vulnerability allowed hackers to infiltrate the stores’ self-service checkout terminals.
Payment systems in stores across the country were infected with custom-built malware, letting the criminals exfiltrate data, which included names, payment card numbers, expiration dates, and security codes. The hackers also accessed another database that included 53 million customers’ email addresses.
In addition to the financial penalty of the settlement, Home Depot has been mandated to tighten its cybersecurity practices and to subject its vendors to more scrutiny.
One of the most important lessons to take from this case is that breaches to payment systems make companies accountable to not only consumers, but to banks and the credit card industry. As Fortune comments, court filings show that Home Depot paid far more to the financial industry than to consumers.
“We believe this settlement represents one of the better outcomes in data breach litigation,” said Jim Nussle, president and CEO of the Credit Union National Association (CUNA), one of the plaintiffs on the case.
“Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards. This settlement would be a step towards making them whole again.”
While consumers have been repaid for the money taken from their accounts ($19.5 million in total), there was no clear evidence of how much money the financial institutions involved lost because of the breach.
The affected organizations were forced to cancel and reissue the compromised payment cards, reimburse their customers for the fraudulent transactions, and spend significant sums of money responding to the breach and preparing for litigation.
Last year, Home Depot said it had set aside $161 million to cover the cost of the breach, but with this $25 million settlement, the total sum will now be significantly higher. In addition to settling with financial institutions and customers, Home Depot also paid at least $134.5 million to a consortium made up of Visa, MasterCard, and various banks.
Staying secure with ISO 27001
If you’re concerned about your organization’s cybersecurity, you should make sure you have an effective information security management system (ISMS) in place, as described in the international standard ISO 27001. A systematic approach to managing confidential or sensitive corporate information, ISO 27001 helps you keep your data secure.
The Standard covers people, processes, and technology, recognizing that information security is not about technology alone.
To help your organization implement an ISO 27001-compliant ISMS, IT Governance offers a range of fixed-price packaged solutions. Each provides a combination of products and services that can be accessed online and deployed anywhere in the world.