Tue | Dec 1, 2020 | 2:01 PM PST

The Home Depot recently reached a multi-state agreement which settles an investigation into a 2014 data breach. The data breach compromised payment card information of roughly 40 million customers.

The company will pay a total of $17.5 million to 46 U.S. states and the District of Columbia. It has also agreed to strengthen its information security program through a series of steps, which must be done within 180 days of the agreement.

The Home Depot data breach and agreement

In 2014, hackers accessed the company's network and installed malware to the self-checkout point-of-sale system. This allowed the attackers to steal payment card information of customers who used self-checkout lanes between April and September of that year.

New York Attorney General Letitia James was the one to announce the agreement with The Home Depot. She shared her thoughts regarding the data breach:

"New Yorkers have every reasonable expectation that their personal financial information will remain private and protected. Instead of building a secure system, The Home Depot failed to protect consumers and put their data at risk. My office is committed to protecting consumers, which is why we will continue to use every instrument in our toolbox to hold accountable companies that fail to safeguard personal information."

Of the $17.5 million the company has agreed to pay out to the affected states, nearly $600,000 will go to the state of New York.

5 security changes The Home Depot must make

The company will have 180 days to implement five things it has agreed to change following the company's data breach. They are:
  1. "Employing a duly qualified chief information security officer—reporting to both senior or C-level executives and the board of directors regarding The Home Depot's security posture and security risks;
  2. Providing resources necessary to fully implement the company's information security program;
  3. Providing appropriate security awareness and privacy training to all personnel who have access to the company's network or responsibility for U.S. consumers' personal information;
  4. Employing specific security safeguards with respect to logging and monitoring, access controls, password management, two-factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
  5. Undergoing a post settlement information security assessment—consistent with previous state data breach settlements—that, in part, will evaluate its implementation of the agreed upon information security program."

If you wish to read the settlement between The Home Depot and the State of New York in its entirety, here is the official settlement.