U.S. states have reached a settlement over the mammoth 2014 Home Depot breach that will net them $17.5 million, plus an agreement from the home improvement retailer to strengthen its data security practices.
The breach, which compromised 56 million payment card across the U.S., still ranks among the biggest data breaches ever. It’s been an expensive cleanup. Years after the attack, Home Depot estimated the cost at about $179 million and said it was likely to continue growing.
The settlement with 46 states and the District of Columbia adds to the tally. It also comes one month after Home Depot suffered a data breach of its Canadian customers that was much smaller than the 2014 breach that was the subject of the U.S. settlement.
“Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk,” New York Attorney General Letitia James said about the 2014 incident.
In that breach, hackers wormed their way into Home Depot’s network and implanted malware into its self-checkout system, thereby obtaining customer card information over a five-month period.
Under the agreement, Home Depot has to employ a highly qualified chief information security officer, provide security training for key personnel and maintain a set of security policies in areas like encryption, password management and intrusion detection.
Home Depot said it already had made improvements since the breach.
“We’re glad to put this matter behind us and continue to focus on serving our customers. Security has always been a top priority for The Home Depot,” said a spokesperson, Sara Gorman. “When this occurred six years ago, we moved quickly to inform and protect our customers, offering more than 50 million customers free identity protection services including free credit monitoring. Since that time, we’ve also invested heavily to further secure our systems.”