Home Depot agrees to $17.5 million settlement over 2014 data breach

The US retailer’s point-of-sale systems were infected with malware.
Written by Charlie Osborne, Contributing Writer

Home Depot has agreed to a $17.5 million settlement in a multi-state investigation of a data breach suffered by the company in 2014.

Delaware Attorney-General Kathy Jennings announced the settlement on Tuesday, in which a total of 46 states, as well as the District of Columbia, have reached a resolution with the US retailer. 

In 2014, Home Depot confirmed that a cyberattack had occurred on its payment systems, impacting customers across the US and Canada.

See also: How Home Depot navigated a demand boom during COVID-19

Starting in April 2014 and detected in September of the same year, the cyberattack mirrored what was also experienced by rival retailer Target in 2013, in which point-of-sale (PoS) systems were infected with malware designed to steal payment card data. 

Approximately 40 million Home Depot customers were impacted by the PoS malware, which remained hidden on the company's self-checkout systems for months.  

This information can be used to make fraudulent purchases online or for the creation of clone cards, potentially leading to consumer bank accounts being pilfered and creditworthiness becoming impacted. 

CNET: Debunking the election's most widespread voter fraud claims

Alongside the settlement, Home Depot has agreed to implement and maintain new security practices in the future. These include employing a chief information security officer (CISO), providing security awareness training, and rolling out network access security improvements, two-factor authentication (2FA) standards, and more. 

"Retailers must take meaningful steps to protect consumers' credit and debit card information from theft when they shop," said Massachusetts AG Maura Healey. "This settlement ensures Home Depot complies with our state's strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure."

TechRepublic: Baidu Android apps caught leaking sensitive data from devices

At the time of Home Depot's breach, online customers were not involved. Six years on, and we now commonly see payment card information being harvested across e-commerce websites in what is known as Magecart attacks

Instead of infiltrating corporate networks in order to strike PoS systems, Magecart operators exploit vulnerabilities in online platforms and deploy JavaScript code able to skim and steal payment information submitted by customers when they make a purchase.  

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards