Home Depot agreed this week to pay $19.5 million to compensate the 40 million cardholders it said were impacted by a massive 2014 data breach. As part of a proposed settlement by Home Depot, it admits no wrongdoing or liability in the breach, according to court filings with the US District Court for the Northern District of Georgia.
The settlement would bring closure to one of country’s largest data breaches, with 50 million credit card numbers stolen and 53 million email addresses also pilfered by unknown attackers. Home Depot said the 2014 breach stemmed from attackers using compromised vendor credentials to gain access to its network and then the company’s point-of-sale system, where all the damage was done.
As part of the settlement offering, Home Depot agrees to pay $13 million to reimburse impacted customers for out-of-pocket losses related to the breach along with $6.5 million to cover 18 months of cardholder identity protection services. The settlement is a consolidation of over 57 class-action lawsuits filed against Home Depot regarding the breach in both US and Canadian courts.
Legal experts say the odds are good Home Depot’s proposed settlement will be approved by the courts. “Home Depot wants to put this behind them as fast as possible,” said Charles Hoff, data security attorney and CEO of cybersecurity website PCI University. Hoff said, relatively speaking, Home Depot is getting off fairly modestly.
For its part, Home Depot has publicly stated: “We wanted to put the litigation behind us, and this was the most expeditious path,” according to a statement by Stephen Holmes, a Home Depot spokesperson speaking to Reuters news agency.
The Home Depot breach took place between April and September of 2014 at stores in the US and Canada. The proposed settlement between Home Depot and the state of Georgia came to light last week when paperwork outlining the terms of the preliminary settlement were disclosed in an Atlanta federal court.
The settlement includes restitution for 40 million individuals who had their credit card data stolen and between 52 million and 53 million individuals who had their email addresses stolen. Home Depot said there is overlap between the two groups. It’s unclear how Home Depot reached the 40 million affected card holders when the original number was 50 million.
Conditions of the proposed settlement also include a promise by the home improvement giant to hire a chief information security officer and spend the next two years enhancing its cyber-defenses. Since the breach, Home Depot has already put in place new safeguards. Last year, Home Depot said it beefed up security introducing EMV chip-and-PIN technology in its U.S. stores along with introducing enhanced encryption in Canadian stores that takes raw payment card information and scrambles it to make it unreadable to unauthorized users.
It’s believed the Home Depot attackers, who were never caught, used malware to infiltrate point-of-sale systems called Backoff. The Windows Trojan, Backoff, can be configured to capture credit card data from computer’s memory before it is encrypted at the point-of-sale terminal and shipped to a payment processor. Home Depot never confirmed the Backoff suspicions.
In a statement regarding the attack released last year Home Depot said: “The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.”
For months, as the company was being litigated, Home Depot sought to have the lawsuits dismissed in U.S. District Court in Atlanta, arguing no harm had been demonstrated against its customers. Home Depot added, it was incumbent on the third-party financial institutions managing the card networks for Home Depot to cover consumer losses from stolen cards. It argued unsuccessfully, that stolen cards is a normal course of business for financial institutions.
Banks, who said they had already spent millions covering fraudulent transactions tied to the data breach, disagreed. Home Depot’s settlement offer does not cover claims by financial institutions regarding the breach. That court case is being litigated separately.
According to the settlement offer, consumers can recover up to $10,000 each in damages related to having their personal financial information stolen. Members of the class must submit claims documenting losses and are required to self-certify the time spent remedying data breach-related issues.
“Unfortunately, in class action cases like these, nobody wins but the lawyers,” Hoff said. “Consumers have gotten so use to this type of breach, a fatigue has set in.” He said many of the consumers who have suffered through days of repairing their credit rating and canceling bank cards can hope to benefit from the settlement. For the majority of those with persistent anxiety over being part of the 50 million customers whose financial data is now in the hands of a hackers, there will be scant restitution, he said.
In November 2014, Home Depot said that the incident had already cost it $43 million in expenses related to both the investigation into the data breach, hiring security experts to find the details of the attack and hiring additional call center workers to handle consumer questions.