Home Depot will pay $17.5 million to 45 states and the District of Columbia, to resolve a multi-state investigation launched in the wake of a breach of the company’s point-of-sale information systems – specifically those involving its self-checkout kiosks.
In addition to its monetary terms, today’s settlement requires Home Depot to implement extensive reforms designed to prevent future breaches by strengthening its data security systems and encryption protocols.
“As self-checkout options proliferate and shoppers increasingly elect to pay using their phones or credit cards, retailers have a greater responsibility than ever to safeguard not only their online data systems, but their point-of-sale systems as well,” said Division of Consumer Affairs Acting Director Paul R. Rodríguez. “If retailers are going to receive consumers’ personal information and retain it in a database, they have a duty to be vigilant about securing their data. The terms of this settlement are designed to ensure that happens going forward.”
As a result of the data breach at Home Depot, intruders obtained the names, payment card numbers, expiration dates and security codes of more than 40 million individuals between April 10, 2014 and September 13, 2014. In addition, the attack resulted in the compromise of 53 million consumer email addresses and passwords. Home Depot did not discover the breach until months later.
The multi-state investigation looked at how intruders bypassed Home Depot’s cyber protection measures and placed malware enabling the theft of consumer information that consumers entered at store self-checkout kiosks. The settlement includes a host of injunctive terms designed to shore up cyber security at Home Depot, including requirements that the company:
- Create an Information Security Program headed by an executive or officer whose chief role will be to implement the program and advise Home Depot’s CEO and Board of Directors on security issues;
- Provide security awareness and privacy training for all Home Depot personnel whose jobs involve access to, and responsibility for, the company network or consumers’ personal data;
- Maintain encryption protocols designed to encrypt personal information stored on laptops or other portable devices, or when transmitted across public networks wirelessly;
- Seek to devalue payment card information through such methods as encrypting that information throughout the course of a retail transaction at a Home Depot store;
- Take steps to scan and map the connections between its cardholder data environment and the rest of Home Depot’s company network to determine avenues of traffic and identify potential vulnerabilities;
- Implement password policies that use controls designed to manage access to, and use of, Home Depot’s individual accounts, service accounts and vendor accounts. The policies must require strong and complex passwords and password rotation, and prohibit the use of default, group, shared, or generic passwords;
- Adopt a two-factor authentication approach both for the company’s system administrator accounts and for remote access to the company network; and
- Employ firewall policies and use software and hardware tools that restrict connections between Home Depot’s internal networks and its cardholder data environment.
