US retailer The Home Depot has agreed to pay a $17.5m settlement over a 2014 data breach in which 40 million customers had their card details accessed by hackers.
A total of 46 states pursued the settlement with Home Depot, which did not agree liability as part of the terms.
However, it had to agree to other conditions which include hiring a chief information security officer, upgrading its security programme and training. It will have to undergo a post-settlement security assessment to review how the implementation of new security measures.
In 2014 the Georgia-based retailer confirmed that hackers had gained access to its self-checkout point-of-sale system. The cybercriminals then deployed malware that allowed them to collect the payment card information of customers who used self-checkout lanes at Home Depot stores throughout the US between 10 April 2014 and 13 September 2014.
“Businesses that collect or maintain sensitive personal information have an obligation to live up to the trust consumers place in them,” said Delaware Attorney General Kathy Jennings in a statement.
“My office will continue to ensure businesses like The Home Depot protect consumers’ information from unlawful use or disclosure.”
Home Depot settlement: “We’re glad to put this matter behind us”
Home Depot spokesperson Sara Gorman said:
“We’re glad to put this matter behind us and continue to focus on serving our customers. Security has always been a top priority for The Home Depot.
“When this occurred six years ago, we moved quickly to inform and protect our customers, offering more than 50 million customers free identity protection services including free credit monitoring. Since that time, we’ve also invested heavily to further secure our systems.”
The Home Depot breach ranks as one of the biggest data breaches in history. The retailer has paid an additional $198m in pre-tax expenses related to the hack and its cleanup.
Commenting on the Home Depot breach, ESET Cybersecurity Specialist Jake Moore said:
“Punishing huge companies must set a precedent but we don’t want to see any company forced out of business for a mistake which may have been out of their control… many are simply unavoidable and bad luck which do not require much more punishment other than the negative publicity they will no doubt attract.
“Maybe if the fines were reduced if companies were more open to how they were breached, we may see a change in how they are reported and penalised.”
Retailer Target experienced a similar cyberattack against its point-of-sale systems, while the cybercrime gang Magecart has since targeted ecommerce sites to steal payment card data.