BreachExchange mailing list archives
Lawsuit: Home Depot data breach was caused by management's 'overarching complacency' over security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 5 May 2015 19:14:18 -0600
http://www.bizjournals.com/atlanta/news/2015/05/05/lawsuit-home-depot-data-breach-was-caused-by.html Consumers hurt in the giant Home Depot data breach have filed a consolidated lawsuit that accuses the company's management of "overarching complacency when it came to data security." In a 187-page complaint filed in federal court in Atlanta on May 1, consumers state their case that by allowing the data breach to occur, Home Depot (NYSE: HD) breached its obligation to protect customers' personal and financial information and violated its own internal policies and standards. "Home Depot management’s attitude towards data security in the years and months leading up to the breach can best be described as willfully dismissive," the new lawsuit charges. "Notwithstanding the warnings and pleas of many of its employees who recognized the vulnerability of millions of customers’ sensitive information stored in Home Depot’s systems, Home Depot management refused to upgrade its security systems, refused to follow recommendations of information technology (“IT”) employees and experts, and suffered from ineffective leadership in key IT security positions within the organization." The lawsuit lists a number of security upgrades that it says were "proposed to Home Depot IT executives and explicitly rejected." "These specific failures, among many others, are consistent with Home Depot management’s overarching complacency when it came to data security," the lawsuit states. "This included woefully understaffing Home Depot’s IT security department, failing to heed the advice of IT security employees and outside consultants, and hiring unqualified individuals to serve in key IT security management positions." Home Depot in September 2014 revealed that the payment card data and personal information of 56 million customers had been hacked. At least 57 lawsuits were subsequently filed against the company by consumers and financial institutions. Many of these have been consolidated into one big court case that will be fought out in federal court in Atlanta beginning this summer. Judge Thomas W. Thrash, who is overseeing the case, has split it into two tracks, one for consumers and one for financial institutions. The financial institutions who claim they were hurt by the breach are expected to file a consolidated lawsuit against Home Depot by May 15. Home Depot has not yet responded in court to any of the lawsuits. But in a statement to Atlanta Business Chronicle, Home Depot spokesman Stephen Holmes noted that customers were not liable for fraudulent charges on their cards. He added that the company strongly disagree with the claims and will defend the case in the proper venue. In addition to criticizing management, the lawsuit goes on to charge that Home Depot did not invest sufficiently in information security. "Over more than a decade, a clear pattern in Home Depot’s corporate strategy has emerged: the company is willing to invest in technology that will fuel its revenue growth and increase its profits, but Home Depot is not willing to invest in implementing corresponding security measures that do not provide an immediate boost to the bottom line," the lawsuit states. The lawsuit details the stories of dozens of consumers who claim they were personally injured by Home Depot's data breach. To read these and the rest of the consumers' complaint, click here. ( http://media.bizj.us/view/img/5784511/home-depot-complaint.pdf)
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Lawsuit: Home Depot data breach was caused by management's 'overarching complacency' over security Audrey McNeil (May 13)