Tag Archives: Home Depot

Banks Can Sue Home Depot, Court Rules

A federal judge in Georgia has ruled that the class action lawsuit filed by banks against Home Depot over Home Depot’s massive 2014 breach may proceed.  The judge ruled that the banks’ allegations of negligence on Home Depot’s part appear to have merit.  That is probably not a great start for Team Home Depot.


The banks want to be reimbursed for losses they experienced and for costs of reissuing cards.  While big banks can reissue cards for less than $5 each, small banks spend up to $10 each.  If we use the lower number times the 50 million cards compromised, that cost alone is $250 million, which is more than Home Depot has spent so far as a result of the breach (About $150 million net of insurance).  That does not consider the cost of any fraud, which the banks want to recover as well.

*IF* the banks are successful in the end, this would really change the game regarding credit card breaches.

District Court Judge Thomas Thrash apparently does not believe than Home Depot is totally innocent in this situation. He said:

“The court declines the defendant’s invitation to hold that it had no legal duty to safeguard information, even though it had warnings that its data security was inadequate and failed to heed them,” Thrash writes. “To hold that no such duty existed would allow retailers to use outdated security measures and turn a blind eye to the ever-increasing risk of cyberattacks, leaving consumers with no recourse to recover damages, even though the retailer was in a superior position to safeguard the public from such a risk.”

There are some unusual details in this case – not all other cases would necessarily match this one.  According to the suit:

  • As far back as 2008, Home Depot’s IT staff told management that the retailer’s computer systems were easy prey for hackers.
  • Home Depot was warned again in 2009 and 2010 by computer experts that they needed to encrypt point of sale data and that there were security flaws that would allow hackers to infiltrate the network without setting off alarms.
  • In 2011 numerous employees working on data security issues left, leaving the IT department understaffed.
  • In 2013, in two separate breaches, point of sales terminals in Texas and Maryland were infected.
  • On October 1, 2013, FishNet Security warned Home Depot that their systems were vulnerable because the firewall was not operating properly (THE firewall?  Really?  ONE firewall?).
  • In December 2013, when the Target breach occurred, Home Depot finally decided to form a committee.
  • In January 2014 an outside consultant told Home Depot that their network was vulnerable to attack and did not comply with industry standards.  I assume this was their annual PCI audit, since Home Depot did admit that they were not PCI compliant at the time of the attack after initially saying that they were.
  • In February 2014, the committee offered recommendations to improve security, but by the time Home Depot started to implement these changes, the attackers were already inside the network.  That likely occurred in March or April 2014.

Obviously, there is a long way to go before this is ultimately decided – likely years – but there is enough money at stake, maybe $250 to $500 million, that Home Depot is going to fight this.   However, the allegations that have come out already are not pretty and *IF* this goes to trial, we should assume we will see more of this.

Also remember that the insurance has paid out all that they are going to pay, so when there is a settlement or judgement, the money will come out of shareholders’ pockets.  This is true even if the insurance is paying for the legal defense, which they could be doing, depending on the terms of their insurance policy.  Sometimes, legal expenses fit into a separate bucket and sometimes that is not capped.

Finally, it is important to remember that their is a shareholder derivative class action lawsuit also pending and the facts that are established in this case could affect the outcome of that case.

What is clear is that Home Depot is going to be very familiar with the inside of courtrooms, depositions and motions for years to come.

Without regard to the eventual outcome of these class action lawsuits, two years have passed since the breach was discovered and the lawsuits haven’t even hit the trial court yet, never mind appeals.  This will be a  big distraction for the Home Depot management team and Board for quite a while.

Information for this post came from Bank Info Security.

Home Depot Still Dealing With The After Effects Of The Breach

In late 2014 Home Depot announced that hackers compromised their security and stole 50 million credit cards and another 50 million loyalty cards.  18 months later, there are still three class action lawsuits pending.  One is close to settling.  In a recent 10-K filing with the SEC, Home Depot said that they had spent over $150 million on the breach, net of what their insurance paid, which is reputed to be another $90-$100 million.

While I do not have any personal knowledge of the breach, industry reports suggest that their cyber hygiene was sub-standard, an issue that could affect the outcome of the three class actions still in play.

Some people say that the breach was not so bad.  They measure that by the stock price and that has held up.  Part of that may be that Home Depot did a better job of communicating, but it may be that investors know that the business will eventually recover.  If you assume that they spent $161 million so far and there are still lawsuits to settle, they could easily spend a quarter of a billion dollars – or more – before this is over.  That, I suggest, is bad.  It is money that would have otherwise flowed to shareholders or been reinvested in the business.  Now it will go to lawyers and plaintiffs.

The first lawsuit to be filed was by consumers and it is the least painful.  Since the banks make consumers whole, for the most part, the value of the damage is small. Currently, there is a preliminary settlement for this suit, which, if approved, would cost Home Depot another $20 million plus a requirement to enhance security – whatever that costs.

The second suit is from the banks.   They say they spent $150 million reissuing cards.  Fraud is on top of that.  Home Depot’s lawyers say that the banks don’t have standing to sue.  We shall see.  Home Depot’s story is that they don’t have a contract with YOUR bank – the one that reissued your card, only their bank.  This has been tried before without success, but you can’t blame a guy for trying.  Stay tuned.  This COULD cost Home Depot a lot of money, depending.

The third lawsuit is from the shareholders, who filed a derivative lawsuit against the company and 12 board members directly.  This is the one that could hurt.  So far, it has been next to impossible to succeed at suing Boards and Directors, but this is no ordinary breach, so stay tuned.  The suit says that the company and the Board breached their fiduciary duty by failing to make sure that the company took reasonable steps to protect consumer’s information.  What is unclear is what the damage is. If the stock price didn’t take a hit, were they damaged?  Of course, the company will spend $150-$250-$350 million dealing with the breach.  Maybe the company would be much better off if the executives could focus for 3 or 4 years on running the company rather than fending off lawsuits.  IF this suit prevails, it could open up the floodgates for similar shareholder lawsuits.

We do need to remember that the $161 million expense is pretax, so depending on their tax rate, it will be less.  Of course, that means that you and I get to pay again for Home Depot’s mismanagement – the first time in bank fees that the banks use to cover the breach cost and the second time in tax savings because breach costs are tax deductible.

All companies should be watching for the outcome of this case and checking out their cyber breach preparedness.  For small companies, suits like this are often fatal.

Information for this post came from JDSupra.

Home Depot Breach Update

Home Depot reported today that it spent $43 million in it’s third quarter dealing with the fallout of it’s security breach earlier this year.  Of the $43 million, $15 million will be paid for out of its $100 million cyber liability policy.

From the press release:

  • The retailer warned that it expects “to incur significant legal and other professional services expenses associated with the data breach in future periods.”
  • Home Depot is also facing 44 actions filed in courts in the U.S. and Canada. It expects more claims may be filed on behalf of customers, payment card brands, payment card issuing banks and shareholders.
  • Payment card networks may make claims seeking to recover incremental counterfeit fraud losses and costs for reissuing cards, Home Depot wrote. Its liability will depend on whether it was noncompliant with data security standards, which contributed to the breach.
  • Home Depot did pass a PCI audit in the fall of 2013 and was working on its 2014 audit at the time of the breach.
  • “The forensic investigator working on behalf of the payment card networks may claim the company was not in compliance with those standards at the time of the data breach,”

This last bullet is the bombshell in this release.  What have they discovered that would lead them to believe they were not compliant at the time of the breach.  If this turns out to be true, it could subject the company to fines from the credit card issuers and give the folks suing them some powerful ammunition in their lawsuits. They must have found something very significant to be releasing that statement at this time.





More News About Home Depot Breach

According to an article in ARS technica this past weekend, Home Depot has some interesting factoids in their security background.

Just to be clear, this is only one side of the story, and I suspect they are neither the best nor the worst when it comes to security – but I don’t have any insider knowledge.

First, the article says that their senior IT security architect had been fired from his previous job and that he sabotaged his former employer’s network in revenge.  You might think this is hearsay, but he was indicted and pleaded guilty, which would tend to confirm those facts.  He continued to work in security at Home Depot for a year after his indictment.  There may be HR issues if they fired him at that point (innocent till proven guilty) but they are a big company – move him or put him on paid leave.  Under those circumstances don’t leave him in that position.

Again, according to the article, Home Depot ran out of date AV software (from 2007) and the company did not perform network behavior monitoring to detect unusual traffic to its POS system.   Assuming these facts and others in the article are true, Home Depot has a lot of explaining to do if they wind up getting sued (at least one suit has been filed and it is seeking class action status).

Maybe I don’t understand things well, but my thought is the POS system should be sandboxed and it should be locked down with respect to IP addresses that it can talk to.  Seems to me that it should be able to only talk to its service providers and those should come from known IPs.  Support should come over a VPN as an additional layer of defense.  That would reduce the likelihood that even if the bad guys get in, that they would be able to get data out.

Security usually shows up as a cost and not a profit center so you can usually do more that you can afford, but Target, Home Depot and others should be a clear message that the bad guys are out there and likely after you.

I think it is a story of pay me now or pay me later.

Mitch Tanenbaum

Home Depot Credit Card Breach – Good News (sort of)

Home Depot released a press release today providing some more details on the recent and until now ongoing credit card breach.

The good news is that the breach primarily affected self checkout stations between April and September of this year.  Home Depot likely has a pretty good security department which means that this malware must have been pretty sophisticated.  Home Depot also says that the means of entry for the malware has been closed and a security update has been installed to encrypt the data earlier in the process.

The rest of the good news is that because the breach primarily affected self checkout stations, far fewer cards were affected.  Home Depot says that only around 56,000,000 cards were affected.

If you used your credit card between April and September at Home Depot, free identity protection is available at this link.  The link includes details, a way to sign up and a tool free number to call in case you need assistance with fraud.