The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Home Depot settles breach suit, will pay $19m

Less than two years after it disclosed a massive breach of its payment system, Home Depot agreed to pay out more than $19 million to settle a class action suit, citing a need to ‘move on.’

Home Depot is 'moving on' from its widely publicized 2014 data breach.

Reuters reported on Tuesday that Home Depot had filed papers in federal court in Atlanta indicating that the company has agreed to pay $13 million to compensate consumers affected in the 2014 breach. An additional $6.5 million was set aside to pay for 18 months of identity protection services for cardholders.

In September 2014, Home Depot acknowledged that information on as many as 56 million credit cards was exposed in a sustained breach of the company that stretched from April 2014 to September of that year.

Subsequent reporting pointed to a pattern of lax security practices at the home improvement giant. Reporting by Nicole Perlroth in The New York Times quoted former employees saying that Home Depot gave short shrift to security: relying on outdated antivirus software by Symantec and infrequently running vulnerability and malicious software scans on point of sale and other systems responsible for handling customer transactions. (I wrote about this here.)

The $13 million in payments for victims amounts to $.23 per lost record.

Prior to settling, Home Depot had sought to have the class action suit dismissed altogether. In September 2015, the company filed a motion in federal court in Atlanta to have the class action suit dismissed. It’s argument: the consumers behind the class action suit cannot prove they were damaged by the breach.

"All of the claims alleged in the complaint suffer from the same fatal defect found in the vast majority of other breach cases ... they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot's alleged conduct," the company says in its filing, according to a report in the Atlanta Business Chronicle.

That argument didn’t meet with much success in court in Atlanta, apparently. In statements on Tuesday, Home Depot spokesman Stephen Holmes said the company wanted to “put the litigation behind us.” “This was the most expeditious path,” Holmes said.

A hearing to approve the final settlement is scheduled for August 12th, 2016 in Atlanta.

Home Depot’s settlement is in line with other recent breaches at retailers. Target Stores, for example agreed to pay $10 million to make consumers whole after its breach.

However: still pending are lawsuits brought by credit card companies and banks who suffered damage from fraud related to the incident. In Target’s case: those suits were more costly. The company agreed in August to pay $67 million to Visa over the data hack. In December, it reached an agreement to pay another $39 million to banks that service Mastercard.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Paul Roberts

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.