Retail giant Home Depot has agreed to a $17.5 million settlement in a multi-state investigation of the data breach that the company suffered in 2014.
The US largest home improvement retailer giant Home Depot agrees to $17.5 million settlement over the 2014 data breach.
In 2014, Home Depot revealed that the data breach impacted 56 million customers across the US and Canada. According to the US retailer the payment card information of approximately 40 million Home Depot consumers nationwide. Online customers were not impacted by the security breach.
The settlement was announced by Delaware Attorney-General Kathy Jennings this week, it confirmed that 46 states have reached an agreement with the US company.
Hackers compromised the company point-of-sale (PoS) systems with malware that was designed to steal payment card data.
Home Depot also agreed to implement and maintain additional security practices in the future to prevent similar attacks.
Below security provisions agreed to in the settlement:
- Employing a duly qualified Chief Information Security Officer reporting to both the Senior or C-level executives and Board of Directors;
- Providing resources necessary to fully implement the company’s information security program;
- Providing appropriate security awareness and privacy training to all relevant personnel;
- Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
- Undergoing a post settlement information security assessment to evaluate The Home Depot’s implementation of the information security program.
“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts AG Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”
(SecurityAffairs – hacking, Data breach)