Home Depot Breach Update

Home Depot reported today that it spent $43 million in it’s third quarter dealing with the fallout of it’s security breach earlier this year.  Of the $43 million, $15 million will be paid for out of its $100 million cyber liability policy.

From the press release:

  • The retailer warned that it expects “to incur significant legal and other professional services expenses associated with the data breach in future periods.”
  • Home Depot is also facing 44 actions filed in courts in the U.S. and Canada. It expects more claims may be filed on behalf of customers, payment card brands, payment card issuing banks and shareholders.
  • Payment card networks may make claims seeking to recover incremental counterfeit fraud losses and costs for reissuing cards, Home Depot wrote. Its liability will depend on whether it was noncompliant with data security standards, which contributed to the breach.
  • Home Depot did pass a PCI audit in the fall of 2013 and was working on its 2014 audit at the time of the breach.
  • “The forensic investigator working on behalf of the payment card networks may claim the company was not in compliance with those standards at the time of the data breach,”

This last bullet is the bombshell in this release.  What have they discovered that would lead them to believe they were not compliant at the time of the breach.  If this turns out to be true, it could subject the company to fines from the credit card issuers and give the folks suing them some powerful ammunition in their lawsuits. They must have found something very significant to be releasing that statement at this time.