Home Depot reaches $17.5 million settlement over 2014 data breach
The State of Connecticut will collect $1,093,196.25 through this settlement.
The breach occurred when hackers gained access to the Home Depot network and deployed malware on Home Depot’s point-of-sale system.
The malware allowed the hackers to obtain the payment card information of customers who used self-checkout lanes at Home Depot stores throughout the U.S.
between April 10 and September 13, 2014.
In addition to the $17.5 million total payment to the states, Home Depot has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.
“Companies like Home Depot who collect sensitive personal information from their customers have an obligation to protect that information from unlawful use or disclosure.
Home Depot failed to take those precautions, and as a result exposed the payment card information of 40 million of their customers.
Connecticut co-led this investigation and settlement, and will continue to lead the nation in enforcing rigorous compliance with state consumer privacy laws,” said Attorney General Tong.
Connecticut co-led the multistate investigation with Texas and Illinois, assisted by California, Florida, Indiana, Massachusetts, New Jersey, North Carolina, Ohio, Pennsylvania, and Vermont, and joined by Alaska, Arizona, Arkansas, Colorado, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Mexico, New York, North Dakota, Oklahoma, Oregon, Rhode Island, South Carolina, Tennessee, Utah, Virginia, Washington, West Virginia, and Wisconsin.
Separate from the multistate settlement, Home Depot previously offered one year of post-breach credit monitoring to impacted consumers.
Under a class action settlement unrelated to the multistate action, Home Depot established a fund to allow for payments to consumers who have documented losses caused by the breach, as well as an additional 18 months of credit monitoring for those who enrolled. ■