Attorney General Cameron Announces $17.5 Million Multistate Settlement with Home Depot for Data Breach

FRANKFORT, Ky. (November 24, 2020) – Attorney General Daniel Cameron today announced a $17.5 million multistate settlement with Home Depot U.S.A., Inc. and The Home Depot, Inc. (“Home Depot”) for a data breach, which exposed the payment card information of approximately 40 million Home Depot consumers nationwide.

The settlement, reached between Home Depot U.S.A., Inc. and The Home Depot, Inc. and 46 attorneys general resolves an investigation into the 2014 data breach.  Under the settlement, Kentucky will receive $188,570.63.

“This settlement ensures that businesses, like Home Depot, take the necessary steps to appropriately safeguard consumer data,” said Attorney General Cameron.  “This is one example of the work our Office of Consumer Protection undertakes, on behalf of all Kentuckians, to ensure that our Consumer Protection and Data Privacy laws are followed.”

Between April 10, 2014, and Sept 13, 2014, hackers gained access to Home Depot’s network and deployed malware on the company’s self-checkout point-of-sale system. The malware allowed the hackers to obtain the payment card information of customers who used self-checkout lanes at Home Depot stores throughout the United States.

In addition to the $17.5 million payment to the attorneys general, Home Depot has agreed to implement and maintain a series of data security practices designed to strengthen its information security program and safeguard the personal information of consumers.

Under the settlement, Home Depot agrees to:

  • Employ a duly qualified Chief Information Security Officer who will report to both the Senior or C-level executives and Board of Directors regarding Home Depot’s security posture and security risks.
  • Provide resources necessary to fully implement the company’s information security program.
  • Provide appropriate security awareness and privacy training to all personnel who have access to the company’s network or responsibility for the personal information of U.S. consumers.
  • Employ specific security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management.
  • Undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.

Attorney General Cameron was joined by attorneys general of Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and Wisconsin in the settlement.

To view a copy of the settlement agreement, click here.