Hardware chain Home Depot has settled a data breach lawsuit for more than AUD $23 million (USD $17.5 million) after the chain had its point-of-sale machines infected with malicious software and impacted as many as 40 million customers.
Home Depot has announced its move to settle a lawsuit from 46 states for $23 million, after a 2014 data breach that engulfed the hardware giant.
In addition to the settlement of the data breach lawsuit, Home Depot has said that it will introduce a raft of new information security measures to prevent further attacks in the future.
For a total of five months, hackers were able to view the credit card information of millions of Home Depot customers after implanting checkout computers with special-made malware.
The move signals the importance of having an information security system in place to protect the IT infrastructure of an organisation, as well as the potential for customers being roped into a data breach scandal, and potential lawsuit.
Key amongst its promises is for the company to add a new Chief Information Security Officer (CISO) to Home Depot’s lineup, the introduction of a new internal cyber security awareness program, a host of new security measures across the board and the introduction of two-factor authentication standards within its operations.
Announcing the news that Home Depot had settled the data breach lawsuit for AUD $23 million, Maryland’s Attorney General Brian Frosh said that “far too often, companies fail to protect consumers’ personal information from unlawful use or disclosure.”
“As a result, consumers suffer harm personally and financially. The data security measures required by this settlement will help protect the personal information of Marylanders and other consumers throughout the country.”
According to a report from ZDNet, “starting in April 2014 and detected in September of the same year, the cyberattack mirrored what was also experienced by rival retailer Target in 2013, in which point-of-sale (PoS) systems were infected with malware designed to steal payment card data.”
That report states that as many as 40 million customers in the United States and Canada were impacted by the malware installed on point-of-sale devices, which were undetected for a number of months. This increased the likelihood of those customers being targeted with financial scams and identity theft campaigns.
Attorney General for the state of Massachusetts, Maura Healey has said that “retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop.”
“This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure,” Healey added.
In spite of the fact that it’s been years since the initial breach, security researchers warn that the dangers of a wide scale breach like the Home Depot infection of malware persist well into 2020.
This is because of the fact that, as ZDNet’s report states, “at the time of Home Depot’s breach, online customers were not involved. Six years on, and we now commonly see payment card information being harvested across e-commerce websites in what is known as Magecart attacks.”
“Instead of infiltrating corporate networks in order to strike PoS systems, Magecart operators exploit vulnerabilities in online platforms and deploy JavaScript code able to skim and steal payment information submitted by customers when they make a purchase.”
Get Your Free ISO 27001 Gap Analysis Checklist
In reference to the settlement, Ohio’s Attorney General, Dave Yost said that “Home Depot might have the right hardware for customers but, in this case, it lacked the necessary tools to protect their information… that’s now going to change with this settlement.”
Kentucky’s AG, Daniel Cameron’s comments echoed that of his counterparts, stating that “this settlement ensures that businesses, like Home Depot, take the necessary steps to appropriately safeguard consumer data.”
“This is one example of the work our of Office of Consumer Protection undertakes, on behalf of Kentuckians, to ensure that our Consumer Protection and Data Privacy laws are followed.”
According to a report from BizJournals, Home Depot, in signing the data breach settlement has agreed to the following:
Employing a qualified and experienced Chief Information Security Officer who will report to executives and board members of Home Depot
Investing in the necessary resources for a viable and robust information security management system
Providing employees with adequate information and training around the threats to Home Depot’s networks, as well as the company’s obligations to keep consumer data safe.
Implementation of the essentials of information security like encryption, firewalls, safeguards for access controls, password management, risk assessments, penetration testing, intrusion detection, penetration testing, two-factor authentication and vendor account management.
Agreeing to further information security assessments in the future to prove the viability of the company’s information security system.
