The largest home improvement retailer based in North America, Home Depot, will pay out a huge settlement of £17.5m to make recompense for a data breach in 2014 when its dedicated systems for Point of Sale (PoS) suffered a malware infection.

The settlement was recently announced by Attorney-General for Delaware, Kathy Jennings, comprising an accord made between the retail giant, 46 different states and the District of Columbia.

Cyber strike affects Home Depot’s customer base

Back in 2014, the retailer confirmed it had been subject to a cyber assault, with the attack hitting its payments systems and affecting its customers based across both the United States and Canada. Investigation uncovered that the initial attack took place in April 2014 but was not detected until five months later in September.

The state-of-the-art cyber-attack was a mirror image of another assault that occurred in 2013, suffered by the company’s rival, another leading US retailer, Target. The insidious attack involved the retailer’s PoS systems being infected with a form of malware, specifically engineered to steal data from customer payment cards.

Estimations indicate that around 40 million customers of Home Depot were affected by 2014 attack’s PoS malware, while it was secretly embedded in the retailer’s self-checkout system for many months. The information acquired by the cybercriminals responsible for the data breach included sensitive details that made it possible for a wide range of crimes to be committed against customers. For example, payment card details can be employed to make purchases fraudulently online and credit cards can be copied and cloned, resulting in customers’ bank accounts being raided and their credit status being negatively impacted.

Additional steps taken by Home Depot

In conjunction with the large-scale settlement the US retailer has also agreed to employing and maintaining greater levels of security going forwards. These new measures include hiring a Chief Information Security Officer, adopting regular training to raise security awareness, employing multifactor authentication standards, and rolling out all its security improvements for network access to all parts of its business.

Attorney General for Massachusetts, Maura Healey commented on the recent settlement and the new measures adopted by Home Depot:

“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop. This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”

When the 2014 data breach occurred at Home Depot, no online customers were impacted. Now, six years later, cybercrime involving payment cards data is virulent. Information on customer credit and debit cards is commonly harvested via e-commerce focused sites online, in tactics entitled “Magecart attacks” by cybersecurity experts.

Rather than penetrating the vulnerable defences of corporate networks so they can hit PoS systems, the latest Magecart threat operators identify weaknesses present in online platforms instead. They then use JavaScript-type code to obtain any payment details entered by customers in digital forms when they are buying items.