Breaking Down the Home Depot Data Breach Lawsuits

Posted by Kaleigh Simmons on Jun 4, 2015 1:15:00 PM
Find me on:


While we’ve been busy keeping a close eye on the happenings of the Target lawsuit, issuers have filed another one - this time against Home Depot and the data breach that occured over the summer of 2014 and exposed 56 million payment cards.

Falling in line with Target, there are two lawsuit tracks - consumer and issuers. Now that both have been formally filed with the United States District Court in Georgia, follow along as we take a deep dive into the complaints and claims listed.

The Consumer Lawsuit

The claim from the consumers is that they suffered significant damages due to Home Depot’s “overarching complacency when it came to data security.” They continued on, classifying many of Home Depot’s security missteps as “Deceptive Trade Practices” - including their failure to maintain adequate computer and networking systems to keep data safe, failure to disclose that their systems were inadequate, and continued storage of consumer’s PII well after they should have known about the breach, and before they fixed it.

Consumers are seeking reparation for the following damages:

  • Fraudulent charges on their credit and/or debit cards

  • Identity theft by criminals, and the costs associated with prevention and detection of that

  • Costs associated with fraudulent use of their accounts, and in some cases total loss of use of their accounts

  • The increased costs of purchasing home improvement products at stores other than Home Depot, or refund of products purchased at Home Depot that consumers wouldn’t have made had they known about the deceptive trade practices taking place

Home Depot has recently attempted to get the consumer lawsuit thrown out, stating that, “All of the claims alleged in the complaint suffer from the same fatal defect found in the vast majority of other breach cases ... they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot's alleged conduct.” Judge Thomas W. Thrash has yet to respond to Home Depot’s response.

The Issuer Lawsuit

Filed just last week, the issuer suit calls the breach the “inevitable result of Home Depot’s longstanding approach to the security of its customer’s confidential data, an approach characterized by neglect, incompetence, and an overarching desire to minimize costs.

The lawsuit cites dozens of instances that they believe prove Home Depot’s purposeful neglect in protecting customer data, including:

  • Their failure to maintain an adequate firewall

  • Their failure to restrict access to cardholder data on its network

  • Their failure to use coded numbers to disguise the self-checkout point-of-sale terminals

  • Their failure to maintain and use up-to-date anti-virus software on its point-of-sale terminals

  • Their failure to encrypt cardholder data at the point-of-sale

  • Their failure to track access to its network, as well as scan computer systems for vulnerabilities that could be exploited

They also noted a small data breach that occurred in a Home Depot store in Texas in July 2013. Malware was placed on at least eight point-of-sale terminals, and “should have alerted Home Depot to the possibility that hackers were testing its systems.” A similar small breach took place at a Maryland store in December of that same year, compromising their inadequate firewall, yet the retailer still didn’t make the switch.

Ultimately, after the widespread breach hit the news airwaves in late 2014, Home Depot’s CEO admitted they were fully to blame, stating, “If we rewind the tape, our security systems could have been better. Data security just wasn’t high enough in our mission statement.”

Issuers are seeking reparation for the following damages:

  • Costs associated with cancelling and reissuing payment cards

  • Costs from refunding fraudulent charges

  • Costs associated increasing fraud monitoring on potentially compromised accounts

  • Lost charges and transaction fees due to reduce card usage or reissued cards that never got activated

While BillGuard predicts total fraud losses from this breach to top $3 billion, more precise calculations from the financial institutions involved in this suit will be made over the course of the litigation.

To learn more about how quickly Rippleshot detected the Home Depot breach and the potential savings that could have been gained with our product, download our case study bundle below:

New Call-to-action


Topics: Compromises, Industry News, Lawsuits