Home Depot to Pay $17.5 Million in Multistate Settlement over 2014 Data Breach

PHOENIX -- Attorney General Mark Brnovich today announced that The Home Depot, Inc. (Home Depot) has agreed to pay Arizona over $265,000 to resolve allegations stemming from a 2014 data breach that compromised roughly 40 million credit and debit cards nationwide. The settlement with the Arizona Attorney General’s Office (AGO) is part of a larger $17.5 million settlement with 46 states and the District of Columbia. In addition to the payment, Home Depot has agreed to a series of data security and good governance provisions designed to strengthen its practices going forward.
On September 8, 2014, Home Depot disclosed that cyber attackers gained access to Home Depot’s corporate network, allowing them to upload malware to at least 7,477 Home Depot self-checkout systems. This malware collected payment card information and sent it to the attackers, compromising approximately 40 million credit and debit cards nationwide.

“With our reliance on technology and the internet, protecting consumer data and information is more important than ever,” said Attorney General Brnovich. “My office will continue to ensure that businesses take all necessary precautions to prevent data breaches and safeguard customers’ personal information.”

Under the settlement, Home Depot agreed to these provisions designed to strengthen its future security practices:

  • Implementation of a comprehensive information security program, including regular security reporting to the Board of Directors and providing security awareness and privacy training to employees;
  • Specific security requirements with respect to segmentation, logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management, among other requirements, and;
  • Third-party security assessments and audits for three years.

Home Depot previously offered one year of credit monitoring to all affected U.S. individuals.

Copy of Assurance of Discontinuance.

Other AGO cases regarding data breaches:
$39.5 Million in Multistate Settlement with Anthem Over 2014 Breach
$18.5 Settlement with Target after Data Breach
First-Ever Settlement in HIPAA Data Breach Lawsuit
$148 Million Settlement With Uber Over Data Breach
$10 Million Settlement Premera Blue Cross Data Breach
$1.5 Data Breach Settlement With Neiman Marcus
$5.5 Million Settlement with Nationwide Insurance 
$600 Million Equifax Settlement