Attorney General Becerra Announces $17.5 Million Settlement Against Home Depot Over Credit Card Data Breach

SACRAMENTO – California Attorney General Xavier Becerra today announced a $17.5 million multistate settlement with The Home Depot, Inc. (Home Depot), resolving allegations that the retailer failed to adequately protect the payment card information of approximately 40 million customers compromised in a 2014 data breach. California will receive more than $1.8 million from the settlement, which includes injunctive terms that require Home Depot to tighten its information security program to prevent future breaches.

“Families should always have peace of mind that their personal information is safe and secure while they shop. Every company like Home Depot that collects confidential personal data must put its house in order and provide reasonable data security,” said Attorney General Becerra. “As today’s settlement makes clear, companies that don’t adequately secure data face serious consequences.”

In 2014, Home Depot reported a payment card system breach. Attackers used stolen credentials to access Home Depot’s network, then installed malware on point-of-sale devices at Home Depot’s stores. The breach resulted in the compromise of payment card information from approximately 40 million customers.

The multistate investigation revealed that Home Depot failed to carry out basic security procedures that would have fixed known technological vulnerabilities, and did not properly monitor suspicious activity occurring on systems that maintained personal information. The company also failed to stay apprised of evolving security standards.

The injunctive terms require Home Depot to comply with robust data security improvements to prevent future breaches, including implementing a comprehensive information security program to protect the integrity and confidentiality of consumers’ personal information. The settlement also requires Home Depot to provide security awareness and privacy training to all personnel with responsibility over consumer personal data or the company network. Home Depot will also tighten policies and procedures around an array of security features including payment card security technologies.

Today's settlement underscores Attorney General Becerra's commitment to hold companies accountable for protecting customer information. Late last month, Attorney General Becerra secured an $8.69 million settlement against Anthem, Inc., resolving similar allegations that the health insurance provider violated consumer protection and privacy laws arising from a 2014 data breach. In July 2019, Attorney General Becerra announced a $600 million settlement with Equifax that resolved allegations that the credit reporting agency exposed the personal information of 147 million consumers. And in May 2017, Attorney General Becerra secured a record $18.5 million multistate settlement with Target, in response to allegations that the company’s data security lapses led to the exposure of credit card information of over 40 million customers during the 2013 holiday season.

In securing the settlement, Attorney General Becerra joins the attorneys general of Connecticut, Illinois, Texas, Alaska, Arizona, Arkansas, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and the District of Columbia.

A copy of the complaint can be found here. A copy of the proposed judgment can be found here.