Photo: WhisperToMe

The Home Depot will pay $17.5 million to resolve investigations into its 2014 data breach that exposed the payment card information of about 40 million Home Depot customers throughout the nation.

The breach occurred when hackers gained access to the company's network and put malware on its self-checkout system.

The malware allowed the hackers to obtain the payment card information of customers who used self-checkout lanes at The Home Depot stores throughout the United States between April 10, 2014, and Sept 13, 2014. 

“New Yorkers have every reasonable expectation that their personal financial information will remain private and protected,” said Attorney General Letitia James. “Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk.”

In addition to the settlement payment, The Home Depot has agreed to carry out data security practices to strengthen its information security program and safeguard the personal information of consumers.

Specific provisions include:  

• Employing a chief information security officer who will report to the senior executives and board of directors on Home Depot’s security and security risks.

• Providing the resources required to carry out the company’s information security program.

• Providing security and privacy training to all personnel who have access to the company’s network or responsibility for consumers’ personal information.

• Employing security safeguards for access controls, password management, two-factor authentication, firewalls, encryption, risk assessments, penetration testing, and vendor account management.

The company’s management of the security program will be evaluated through an information security assessment.

Forty-seven attorney general participated in the settlement. Among them, in addition to New York, are: California, Colorado, Connecticut, Florida, Illinois, Indiana, Massachusetts, Michigan, Ohio, Pennsylvania, Texas, Washington, and Wisconsin.