A years-long investigation into a security breach exposing the personal information of 40 million customers is set to finally end for home improvement retailer The Home Depot Inc. The Atlanta-based company reached a multistage agreement, through which it will compensate 46 states and the District of Columbia with a total of $17.5 million. The incident occurred in 2014, when hackers gained access to the retailer’s network, deploying malware on a self-checkout, point-of-sale system, allowing access to payment card information for customers who used self-checkout lanes between April 10, 2014, and September 13, 2014. The company agreed to implement a series of practices and improvements designed to bolster its information security, which, according to the terms of the agreement, must be implemented within 180 days after December 21, 2020.

“Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk,” said New York Attorney General Letitia James, whose state will receive nearly $600,000. The company agreed to undergo a post-settlement assessment of information security—one that’s consistent with previous state data breach settlements, James said.

Among the steps that Home Depot must take as a result of the settlement is the addition of a chief information security officer who will report to both senior or C-level executives and its board of directors. Officials also agreed to provide appropriate security awareness and privacy training for every employee who has access to the company’s network or are otherwise responsible for consumers’ personal information. Other key efforts include reasonable efforts to maintain software, ensuring that systems are fully updated with the latest security measures, and the use of proper encryption methods.

“The Home Depot has agreed to implement and maintain a series of data security practices designed to strengthen information security programs and safeguard consumers’ personal information,” said Texas Attorney General Ken Paxton. “This settlement serves to promote fair but rigorous compliance with state laws which require businesses that collect sensitive personal information to implement procedures to protect consumers’ information from unlawful use or disclosure.”

To help prevent future hacks, engineers are tasked with segmenting its cardholder data environment and mapping connections to the company network in order to determine avenues of traffic. In addition to two-factor authentication for both system administrator accounts and remote access, and “strong and complex passwords,” the company must take steps to ensure password rotation, firewalls, file integrity monitoring and payment card security, as well as maintain separation of its development and production environments. Logs must also be established to monitor network activity for any device attempting to connect to cardholder data.

According to the settlement agreement, after posting improvements, the company must undergo annual risk assessments, including documentation of safeguards implemented.

“Families should always have peace of mind that their personal information is safe and secure while they shop,” said California Attorney General Xavier Becerra. “Every company like Home Depot that collects confidential personal data must put its house in order and provide reasonable data security. As today’s settlement makes clear, companies that don’t adequately secure data face serious consequences.”

Leave a Reply

Your email address will not be published. Required fields are marked *