A little more than a year after some 56 million customer credit card numbers were exposed to hackers in one of the nation’s largest security breaches, Home Depot’s reputation and bottom line have survived relatively unscathed.
But the breach prompted internal changes at the Atlanta home improvement giant and left it with lingering legal headaches.
More than 50 lawsuits filed since the company disclosed in September 2014 it had been hacked have been consolidated into two suits, each seeking class action status — one for consumers and the other for financial institutions such as banks and credit unions.
Experts say Home Depot is likely to settle out-of-court to both avoid the millions in costs it will take to fight the litigation and the public relations damage it could suffer if either case went to trial.
Fellow retail heavyweight Target agreed to a $10 million settlement in a class-action case spawned by its high-profile security breach in 2013.
“You can spend millions and millions and millions of dollars and have a significant distraction from your core business,” John Hutchins, an attorney with law firm LeClairRyan who blogs about data security, said in explaining the rationale behind settling.
Home Depot so far has sought to quash the lawsuits, which have not yet been certified as class actions — a key step that would raise the stakes. Its attorneys argued for dismissal of the suits Thursday in U.S. District Court in Atlanta. A decision is pending.
They called the litigation frivolous and said plaintiffs for customers had not demonstrated harm to shoppers. As for financial institutions, they said covering losses from stolen cards is a normal course of business.
Attorneys for consumers and the banks countered that Home Depot was negligent in protecting consumer information, despite being warned by workers that its security was inadequate.
The attorneys, who include former Georgia Gov. Roy Barnes, a lead attorney for the consumer case, said consumers had been harmed by the burden of being forced to report the hack to credit bureaus and monitoring their accounts for illegal activities.
Banks argue they spent millions sending customers new credit cards and covering fraudulent transactions.
Courts have been divided on whether lawsuits have demonstrated actual harm to customers or financial institutions, bars that must be met for the class action lawsuits to be certified, Hutchins said. When consumers have argued that the breach could hurt them down the road because credit thieves don’t always use cards immediately, courts have called that speculative.
To date, Home Depot said it has had $232 million in expenses stemming from the security breach, but experts say that number is likely to grow. The company has a $100 million insurance policy on network security and privacy liability.
Handling a breach is high stakes as security hacks have continued unabated with criminals infiltrating government, medical institutions and companies of every stripe, including credit agency Experian.
The number of hacks so far this year, 619, is just slightly fewer than the about 630 during the same period last year, which was a record high, said Karen Barney, program director of the Identity Theft Resource Center.
“It’s definitely been pervasive,” Barney said, adding that the number represents only reported breaches. Many hacks go unreported because states mandate they meet a certain size before disclosure is necessary.
Hacks at major companies or agencies often involve eye-popping numbers of people whose information is exposed. But it’s rarely clear how many actually have the information used for fraudulent purposes, and no number has been disclosed in the Home Depot case.
The Home Depot breach took place between April and September last year at stores in the U.S. and Canada. The hacker — never identified or prosecuted — breached the company by using a vendor’s user name and password.
In addition to the credit information exposed, about 53 million email addresses also were hacked. Even if consumers’ credit card numbers aren’t used fraudulently, they may still be susceptible to email scams or the use of their addresses for spamming, experts say.
A Home Depot spokesman declined to discuss the lawsuits, saying, “We’ll continue to address litigation in the proper legal forum, but our primary focus has been and continues to be on our customers.”
The company, however, said it added enhanced encryption to all stores last year. Like other retailers it has also rolled out updated card readers to handle the new “chip-enabled” credit cards that are said to be more secure.
Internally, the company elevated its chief information security officer to senior management so the position could focus solely on data security.
In addition, Linda Gooden, a former Lockheed Martin executive vice president with an extensive background in information technology, cybersecurity, operations and finance, was named to the company’s board Oct. 5. Workers were trained to protect equipment and identify phishing and other cyber attack methods.
While encryption is helpful, financial institutions argue that a unified security standard is needed if the nation is going to successfully tackle data security. Legislation to do that, the Data Security Act of 2015, has been introduced in both houses of Congress but has not gotten much traction.
“It would elevate the same data security standards to everyone,” said Sam Whitfield deputy chief advocacy officer for Congressional relations for the Credit Union National Association. “It is not the silver bullet, but with it we can minimize the problem.”
CUNA, which is among the financial institutions suing Home Depot, also wants notifications laws surrounding breaches changed to allow financial institutions to tell customers the origins of a hack. Right now, banks and credit unions can only say a breach has happened, offer consumers tips to protect their credit history and issue new cards.
“We can’t disclose a lot of information on the threat of being sued,” he said.
Charles Hoff, CEO of cybersecurity website PCI University, said Home Depot has rebounded well from its security crisis, but warned that collecting personal data such as email addresses to market products makes the company — and all big box retailers for that matter — targets for data thieves.
“Hackers have gotten much more sophisticated and really love the information aggregation,” he said. “It’s a treasure trove for hackers.”
If your personal information is put at risk in a company breach, there are steps to take to protect yourself, says Trey Loughran, chief marketing officer at Equifax.
1. Retain letter or email notifications of a breach. Many businesses offer free identity theft monitoring services after a breach, and you should take advantage of it if they do.
2. Contact the three major credit reporting agencies — Equifax, Experian and TransUnionPlace — and place a fraud alert or credit freeze on your card. Fraud alerts protect against new account fraud by requiring any credit grantor to take extra steps to verify your identity. A credit freeze prevents credit grantors from accessing your credit report altogether, so they would need to be lifted if you need to access credit for a major purchase down the road.
3. Speak with appropriate creditors or banks associated with the breached company and either close those accounts or take your bank’s recommended steps.
4. Monitor bank account statements and credit reports to look for unusual activity, keeping in mind identity thieves may not use your personal information right away.
5. Seek a copy of your credit report. Consumers are entitled under law to receive a free annual credit report from each of the three credit reporting agencies at www.annualcreditreport.com.