A little more than a year after some 56 million customer credit card numbers were exposed to hackers in one of the nation’s largest security breaches, Home Depot’s reputation and bottom line have survived relatively unscathed.
But the breach prompted internal changes at the Atlanta home improvement giant and left it with lingering legal headaches.
More than 50 lawsuits filed since the company disclosed in September 2014 it had been hacked have been consolidated into two suits, each seeking class action status — one for consumers and the other for financial institutions such as banks and credit unions.
Experts say Home Depot is likely to settle out-of-court to both avoid the millions in costs it will take to fight the litigation and the public relations damage it could suffer if either case went to trial.
Fellow retail heavyweight Target agreed to a $10 million settlement in a class-action case spawned by its high-profile security breach in 2013.
“You can spend millions and millions and millions of dollars and have a significant distraction from your core business,” John Hutchins, an attorney with law firm LeClairRyan who blogs about data security, said in explaining the rationale behind settling.
Home Depot so far has sought to quash the lawsuits, which have not yet been certified as class actions — a key step that would raise the stakes. Its attorneys argued for dismissal of the suits Thursday in U.S. District Court in Atlanta. A decision is pending.
They called the litigation frivolous and said plaintiffs for customers had not demonstrated harm to shoppers. As for financial institutions, they said covering losses from stolen cards is a normal course of business.
Attorneys for consumers and the banks countered that Home Depot was negligent in protecting consumer information, despite being warned by workers that its security was inadequate.
The attorneys, who include former Georgia Gov. Roy Barnes, a lead attorney for the consumer case, said consumers had been harmed by the burden of being forced to report the hack to credit bureaus and monitoring their accounts for illegal activities.
Banks argue they spent millions sending customers new credit cards and covering fraudulent transactions.
Courts have been divided on whether lawsuits have demonstrated actual harm to customers or financial institutions, bars that must be met for the class action lawsuits to be certified, Hutchins said. When consumers have argued that the breach could hurt them down the road because credit thieves don’t always use cards immediately, courts have called that speculative.
To date, Home Depot said it has had $232 million in expenses stemming from the security breach, but experts say that number is likely to grow. The company has a $100 million insurance policy on network security and privacy liability.
Handling a breach is high stakes as security hacks have continued unabated with criminals infiltrating government, medical institutions and companies of every stripe, including credit agency Experian.
The number of hacks so far this year, 619, is just slightly fewer than the about 630 during the same period last year, which was a record high, said Karen Barney, program director of the Identity Theft Resource Center.
“It’s definitely been pervasive,” Barney said, adding that the number represents only reported breaches. Many hacks go unreported because states mandate they meet a certain size before disclosure is necessary.
Hacks at major companies or agencies often involve eye-popping numbers of people whose information is exposed. But it’s rarely clear how many actually have the information used for fraudulent purposes, and no number has been disclosed in the Home Depot case.
The Home Depot breach took place between April and September last year at stores in the U.S. and Canada. The hacker — never identified or prosecuted — breached the company by using a vendor’s user name and password.
In addition to the credit information exposed, about 53 million email addresses also were hacked. Even if consumers’ credit card numbers aren’t used fraudulently, they may still be susceptible to email scams or the use of their addresses for spamming, experts say.
A Home Depot spokesman declined to discuss the lawsuits, saying, “We’ll continue to address litigation in the proper legal forum, but our primary focus has been and continues to be on our customers.”
The company, however, said it added enhanced encryption to all stores last year. Like other retailers it has also rolled out updated card readers to handle the new “chip-enabled” credit cards that are said to be more secure.
Internally, the company elevated its chief information security officer to senior management so the position could focus solely on data security.
In addition, Linda Gooden, a former Lockheed Martin executive vice president with an extensive background in information technology, cybersecurity, operations and finance, was named to the company’s board Oct. 5. Workers were trained to protect equipment and identify phishing and other cyber attack methods.
While encryption is helpful, financial institutions argue that a unified security standard is needed if the nation is going to successfully tackle data security. Legislation to do that, the Data Security Act of 2015, has been introduced in both houses of Congress but has not gotten much traction.
“It would elevate the same data security standards to everyone,” said Sam Whitfield deputy chief advocacy officer for Congressional relations for the Credit Union National Association. “It is not the silver bullet, but with it we can minimize the problem.”
CUNA, which is among the financial institutions suing Home Depot, also wants notifications laws surrounding breaches changed to allow financial institutions to tell customers the origins of a hack. Right now, banks and credit unions can only say a breach has happened, offer consumers tips to protect their credit history and issue new cards.
“We can’t disclose a lot of information on the threat of being sued,” he said.
Charles Hoff, CEO of cybersecurity website PCI University, said Home Depot has rebounded well from its security crisis, but warned that collecting personal data such as email addresses to market products makes the company — and all big box retailers for that matter — targets for data thieves.
“Hackers have gotten much more sophisticated and really love the information aggregation,” he said. “It’s a treasure trove for hackers.”
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.