back to article The bill for Home Depot after its sales registers were hacked: $19.5m

Home Depot will pay at least $19.5m in compensation to the 50 million customers hit by hackers who infiltrated the chain's sales tills in 2014. The US home improvement warehouse will create a $13m fund to reimburse shoppers and spend a further $6.5m providing a year's worth of identity protection for those impacted. Those are …

  1. wsm

    The BORG

    The nickname given Home Depot by its competitors years ago was "the BORG" which stood for Big Orange Retail Giant, given that the orange-colored logo coming to your locality indicated the death of the local hardware store with its variety of goods, local expertise and general good will.

    Once the credit data of millions was "swiped" the nickname took on another meaning.

    How many more compromises of retail transactions will there be for which resistance is futile?

    1. Bob Dole (tm)

      Re: The BORG

      >>How many more compromises of retail transactions will there be for which resistance is futile?

      I dare say resistance is futile for all of them. There is literally nothing a consumer can do to adequately protect their information if they are conducting business using anything other than actual cash.

      Fortunately consumers, generally, only experience mild inconvenience by being forced to update auto payment systems with the latest credit card details once or twice a year. (you likely detect some sarcasm in my use of "fortunately") However in some cases, when consumers pay with a card directly tied to their bank account (debit card) they might have to go inside their bank in order to contest the charges. My wife recently had to do that when someone decided to go on a shopping spree in a country she's never been to.

      That said, what really gets me mad is that the dollar amounts for the settlements are incredibly low. $0.25 per lost card info? At that rate big box retailers can simply continue doing business like they are now and just build in a $0.25/transaction fee as a fixed cost. If you want real change then these amounts need to be bumped up to something reasonable like $10 per card per offense and escalate from there.

      1. Terry Cloth
        Happy

        Things are looking up!

        They only charged Target 25¢ per victim; now they're hitting Home Depot for 40¢. If the rule is raise the fine by 60% for each new breach, we should see things clean up RSN.

    2. Stevie Silver badge

      Re: The Death of local hardware stores

      Yeah, I remember ours: open between 9 and 5 weekdays and up til noon on a Saturday.

      Real friendly for the commuting worker (ie the vast majority of the locals).

      By the time I had the tap apart and discovered the problem they were closed again.

      Hard to see how Home Despot took them out of the picture.

  2. Justin Pasher
    Trollface

    Surprised?

    Hmmm... I wonder why they had the breach in the first place...

    http://imgur.com/5lnjzBu

    1. redpawn Silver badge

      Re: Surprised?

      No.

      AV is expensive. IT pros are expensive too. Besides, its the fault of the bad guys. Blame them.

  3. Captain Badmouth
    FAIL

    Security warnings?

    "The company was accused of having ignored warnings from its security staff that its anti-virus software had not been updated for over seven years"

    FFS! My Kaspersky has a fit if I don't update for a few days. Seven years?!

    Wasn't McAfee, was it? I mean, wouldn't make any difference, would it?

    1. JeffyPoooh Silver badge
      Pint

      "...its anti-virus software had not been updated for over seven years."

      Maybe they had read about just how amazingly bad Symantec's Norton Antivirus (NAV) '07 was, and so they wisely decided to avoid "upgrading" from the previous version until things improved. Maybe after seven years, they finally gave up waiting and did something else.

    2. Brad100

      Re: Security warnings?

      It most likely wouldn't have made any difference what AV vendor they were using or how recently it was updated. Traditional signature-based AV would probably not have known anything about the malware variant used against Home Depot. I don't think the AV not being updated has anything to do with the breach except that the fact it wasn't being updated and the weak passwords give an indication of the security posture of the company and the state of the security program in general. The lawyers will argue that if you are not doing the basics, then you are not dong your due diligence and putting in place accepted industry-standard measures to adequately protect customer's data.

  4. Herb LeBurger
    Unhappy

    Home Depot has learned a valuable lesson here

    ... that paying some compensation and lawyers' fees is cheaper than implementing good security practices.

    1. Mark 85 Silver badge

      Re: Home Depot has learned a valuable lesson here

      No. I disagree. They didn't learn a damned thing. They aren't taking any responsibility for their inaction or actions. They still maintain by the agreement that they did nothing wrong and won't accept liability. This is pure BS.

  5. Snowy

    [quote]Home Depot will pay at least $19.5m in compensation to the 50 million customers hit by hackers who infiltrated the chain's sales tills in 2014. The US home improvement warehouse will create a $13m fund to reimburse shoppers and spend a further $6.5m providing a year's worth of identity protection for those impacted[/quote]

    Works out at 39 cents each, not going to get much for that?

    1. veti Silver badge

      Yep, $19.5m is a joke.

      56 million credit card numbers? Pretty sure those things are worth at least $5 a pop, probably more if they come with matching customer data and verification codes, so we're talking $280 million right there.

      In other words: it would be a viable business venture for Home Depot to sell its own customers' credit card numbers to Bad People, pocket the money, pay the "compensation", and walk away with a quarter-billion in clear profit.

      1. Sgt_Oddball Silver badge

        I had the same thought, but then please don't give them any ideas.....

  6. Winkypop Silver badge
    Devil

    "its anti-virus software had not been updated for over seven years"

    What a bunch of tools.

  7. willi0000000

    had the same malware problem down at Apartment Depot but nobody cared.

  8. Huns n Hoses

    POS

    A delicious double entendre, no?

  9. Walter Bishop Silver badge
    Linux

    Software nasty installs itself on cash registers?

    "software nasty installs itself on cash registers" running Microsoft Windows.

    1. david 12 Bronze badge

      Re: Software nasty installs itself on cash registers?

      Yep, looks like they didn't update their point of sale software for more than 7 years.

    2. Crazy Operations Guy

      Re: Software nasty installs itself on cash registers?

      Linux machines could be infected just as easily. Had a customer where an intruder got into puppet (which was on the network edge to manage the remote offices and telecommuters) and put in a script to turn on X11-forwarding over SSH. The configuration looked like they intended for user's sessions to connect to a remote server, which would connect back to the local machine so that they could capture every keystroke, mouse movement, and window.

      WIndows had nothing to do with the Home Depot breach, it was all insufficient administration.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019