Dive Brief:
- The Home Depot reached a $17.5 million multistate settlement to resolve an investigation into its 2014 data breach that compromised the payment information of 40 million customers around the country.
- As part of the agreement, Home Depot agreed to employ a chief information security officer who reports directly to the board of directors and senior/C-level executives, according to New York State Attorney General Letitia James.
- Home Depot also agreed to provide security training to all workers with access to the company network or access to customer information, according to the announcement. It will also employ security safeguards including encryption, password management, two-factor authentication, logging and penetration testing.
Dive Insight:
The data breach occurred after hackers put malware on Home Depot's point-of-sale system, which allowed them to gain access to the company's self-checkout sales across the U.S. from April 10 through Sept. 13, 2014. Despite the settlement, Home Depot has already spent years shoring up its security posture.
Home Depot has taken several steps to protect customers, including following the National Institute of Standards and Technology Cybersecurity Framework, company spokesperson Sara Gorman said.
The company hired its first officer level CISO in 2015 following the data breach. It also has a Data Security and Privacy Governance Committee that provides enterprise-level oversight and governance over data protection and cybersecurity. The committee provides regular reports to the company Audit Committee and Board.
Steve Adegbite was named CISO at Home Depot in August 2018, after the home improvement retailer's first CISO Jamil Farshchi went to Equifax in February of that year to help the credit reporting agency recover from a massive data breach. Stephen Ward was named CISO at Home Depot in January 2019.
Home Depot also paid $19.5 million to settle litigation by consumers.
"We're glad to put this matter behind us and continue to focus on serving our customers," Gorman said via email. "Security has always been a top priority for The Home Depot. When this occurred six years ago, we moved quickly to inform and protect our customers, offering more than 50 million customers free identity protection services, including free credit monitoring."