Home Depot pays $25 million to settle banking suit

In the continuing fallout from the massive data breach incurred by Home Depot in 2014, the home improvement retailer agreed to settle a class action suit filed by dozens of depository institutions.

The retailer agreed to pay $25 million for damages the banks and credit unions incurred as a result of the breach. Each institution will receive $2 for every card it issued that was on the list of compromised cards, primarily to compensate for costs of reissuance. Also, Home Depot was required to upgrade its cybersecurity protections and increase its scrutiny of its third-party vendors.

This settlement is in addition to a reported $134.5 million that Home Depot has paid in a previous settlement with Visa, Mastercard, American Express, and Discover, and various banks. It is also in addition to $19.5 million the retailer allocated to settle claims by affected customers.

In all, the 2014 data breach, which involved the theft of email or credit/debit card information from an estimated 50 million consumers, has cost Home Depot about $180 million, according to Jeff John Roberts, writing in Fortune magazine.

Settlement underscores risks

Observers commented that this recent settlement—filed in federal court in Atlanta—highlights the need for retailers to beef up their cybersecurity systems.

“As with all retail data breaches, banks worked with Home Depot customers to reimburse them for any unauthorized transactions they may have incurred,” says Doug Johnson, senior vice-president, payments and cybersecurity policy, at the American Bankers Association, to Banking Exchange. “We continue to encourage retailers to enhance data security measures to prevent such breaches from occurring in the future.”

A case study published by the SANS Institute, written by Brett Hawkins, details how the cybercriminals hacked the Home Depot’s point-of-sale system. In short, the attackers used a third-party vendor’s logon credentials to exploit a “zero-day vulnerability” in Windows, allowing them to pivot from the vendor’s area and go into the parent company’s corporate system. 

The term zero-day vulnerability refers to a hole in software that is unknown to the vendor, according to the online dictionary pctools.com. This security hole is then exploited before the vendor becomes aware and hurries to fix it—this exploit is called a “zero-day attack.”

Once inside the Home Depot system the thieves installed what is called “memory scraping malware” on more than 7,500 self-checkout POS terminals, which in turn captured sensitive credit- and debit-card information. This information was used to create bogus cards, which were then sold to others. The criminals also collected 53 million e-mail addresses subsequently used for phishing exploits.

Preventative measures to be taken

Hawkins, in his case study, focuses on three countermeasures that Home Depot, as well as many other retailers, could use to prevent this particular type of breach. They are:

• Point-to-point encryption, which encrypts user information at the point-of-sale terminal when the card is swiped, and before the information is stored in memory.

This information goes to a tamper-resistant security module, which has an industry-standard algorithm that provides a unique key for the transaction. The data then goes to an off-site hardware security module owned by the POS solution provider, where the data is decrypted, and then re-encrypted using the bank’s encryption key, and forwarded on to the bank for final decryption.

• Network segregation, in which the POS network is completely separate from the rest of the retailer’s corporate network.

• Improving the management of third-party vendor credentials. All third-party vendors should be allowed the minimal access needed to perform their tasks and should be denied access to internal resources, unless required.

Read Home Depot settlement document