COLUMBUS, Ohio (WOWK) – Georgia-based retailer The Home Depot is expected to pay a $17.5 million settlement relating to a massive data breach that exposed the payment card information of about 40 million Home Depot consumers nationwide.
Ohio Attorney General Dave and attorney generals from 45 other states and the District of Columbia say during their investigation, they discovered hackers gained access to The Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. Hackers were able to obtain payment card information of the company’s customers who used self-checkout lanes in the U.S. between April 10, 2014, and Sept. 13, 2014.
“The Home Depot might have the right hardware for customers but, in this case, it lacked the necessary tools to protect their information. That’s now going to change with this settlement.”Ohio Attorney General Dave Yost
The Home Depot has agreed to implement and maintain data security practices designed to strengthen its information security program and protect consumer information as part of the settlement.
Security provisions and information protections included in the practices include:
- The Chief Information Security Officer will now report to both the Senior or C-level executives and Board of Directors regarding The Home Depot’s security posture and security risks.
- The Home Depot will provide resources to implement the company’s information security program.
- Provide security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information.
- Employ security safeguards for logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management.
- The Home Depot will undergo a post-settlement information security assessment which will evaluate the information security program.
Ohio will collect $656,210.31 of the $17.5 million settlement.
This settlement includes attorneys general from West Virginia and Kentucky as well as Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington and Wisconsin.