In 2014, Home Depot disclosed a security breach of 53 million customer credit cards and 56 million email addresses. This week the company settled a class action lawsuit and agreed to pay as much as $19.5 million in damages and compensation.
About a third of the money will go to gift certificates for short-term access to "identity protection services" which provide little or no value. The rest will go to compensating some fraud victims.
Breaches like Home Depot's are cumulative, though: the data they leaked will be combined and recombined with other breaches in the future as wily fraudsters find new ways to impersonate Home Depot customers: filing fraudulent tax returns or even stealing whole houses. The risks to Home Depot customers will continue for years to come, long after the identity-protection gift certificates expire.
Home Depot has promised to hire a Chief Security Officer as a part of the settlement.
This is terrible news for you and me. Home Depot wasn't the first to breach and won't be the last. Every day, companies compel you to give them significant, sensitive data in order to, say, get a work visa, apply for a job, or get a post-office box. Home Depot breached because it was grossly negligent, and it was grossly negligent because it correctly assumed that there would be no real penalties for this negligence.
If Home Depot had been hit for the full value of this breach, the total societal cost that we will all bear in law-enforcement, bailouts, and lost productivity from its wrongdoing, then their investors would shit themselves — and so would their insurers. Within the year, every major corporation would have activist investors demanding cybersecurity insurance to a large slice of the business's full market cap, and insurers would be hiring security experts to give these companies security colonoscopies, demanding basics like password hash-salting, TLS, data minimization practices, frequent audits, and all the other basic measures that should already be in place.
But for so long as the value of a lifetime of identity-theft risk is priced at thirty cents, none of that will happen.
First disclosed by the retailer in late 2014, the breach included the theft of data pertaining to about 56 million payment cards, as well as 53 million email addresses, making it one of the largest to date.
Those affected shopped at Home Depot stores between April and September of that year in the U.S. and Canada. The attackers gained access to Home Depot's network using the login credentials of one of its contractors, it said at the time.
It was hit with more than 50 lawsuits as a result of the breach. They were consolidated into two suits each seeking class action status.
Last year, Target agreed to pay $10 million in a settlement over a data breach it suffered in 2013 that affected at least 40 million cards.
Home Depot will pay up to $19.5 million for massive 2014 data breach
[Katherine Noyes/CSO Online]
(Image: Spare Change, Alice in the Flowers, CC-BY-SA)