Banking Exchange Magazine Logo

Home Depot pays $25 million to settle banking suit

Class action suit involves dozens of banks and CUs in wake of 2014 breach—$2 a pop

Another settlement stemming from 2014 breach makes Big Orange cough up more green. Another settlement stemming from 2014 breach makes Big Orange cough up more green.

In the continuing fallout from the massive data breach incurred by Home Depot in 2014, the home improvement retailer agreed to settle a class action suit filed by dozens of depository institutions.

The retailer agreed to pay $25 million for damages the banks and credit unions incurred as a result of the breach. Each institution will receive $2 for every card it issued that was on the list of compromised cards, primarily to compensate for costs of reissuance. Also, Home Depot was required to upgrade its cybersecurity protections and increase its scrutiny of its third-party vendors.

This settlement is in addition to a reported $134.5 million that Home Depot has paid in a previous settlement with Visa, Mastercard, American Express, and Discover, and various banks. It is also in addition to $19.5 million the retailer allocated to settle claims by affected customers.

In all, the 2014 data breach, which involved the theft of email or credit/debit card information from an estimated 50 million consumers, has cost Home Depot about $180 million, according to Jeff John Roberts, writing in Fortune magazine.

Settlement underscores risks

Observers commented that this recent settlement—filed in federal court in Atlanta—highlights the need for retailers to beef up their cybersecurity systems.

“As with all retail data breaches, banks worked with Home Depot customers to reimburse them for any unauthorized transactions they may have incurred,” says Doug Johnson, senior vice-president, payments and cybersecurity policy, at the American Bankers Association, to Banking Exchange. “We continue to encourage retailers to enhance data security measures to prevent such breaches from occurring in the future.”

A case study published by the SANS Institute, written by Brett Hawkins, details how the cybercriminals hacked the Home Depot’s point-of-sale system. In short, the attackers used a third-party vendor’s logon credentials to exploit a “zero-day vulnerability” in Windows, allowing them to pivot from the vendor’s area and go into the parent company’s corporate system. 

The term zero-day vulnerability refers to a hole in software that is unknown to the vendor, according to the online dictionary This security hole is then exploited before the vendor becomes aware and hurries to fix it—this exploit is called a “zero-day attack.”

Once inside the Home Depot system the thieves installed what is called “memory scraping malware” on more than 7,500 self-checkout POS terminals, which in turn captured sensitive credit- and debit-card information. This information was used to create bogus cards, which were then sold to others. The criminals also collected 53 million e-mail addresses subsequently used for phishing exploits.

Preventative measures to be taken

Hawkins, in his case study, focuses on three countermeasures that Home Depot, as well as many other retailers, could use to prevent this particular type of breach. They are:

Point-to-point encryption, which encrypts user information at the point-of-sale terminal when the card is swiped, and before the information is stored in memory.

This information goes to a tamper-resistant security module, which has an industry-standard algorithm that provides a unique key for the transaction. The data then goes to an off-site hardware security module owned by the POS solution provider, where the data is decrypted, and then re-encrypted using the bank’s encryption key, and forwarded on to the bank for final decryption.

Network segregation, in which the POS network is completely separate from the rest of the retailer’s corporate network.

Improving the management of third-party vendor credentials. All third-party vendors should be allowed the minimal access needed to perform their tasks and should be denied access to internal resources, unless required.

Read Home Depot settlement document

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected]

back to top


About Us

Connect With Us