Lawsuit: Home Depot data breach was caused by management's 'overarching complacency' over security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bizjournals.com/atlanta/news/2015/05/05/lawsuit-home-depot-data-breach-was-caused-by.html

Consumers hurt in the giant Home Depot data breach have filed a
consolidated lawsuit that accuses the company's management of "overarching
complacency when it came to data security."

In a 187-page complaint filed in federal court in Atlanta on May 1,
consumers state their case that by allowing the data breach to occur, Home
Depot (NYSE: HD) breached its obligation to protect customers' personal and
financial information and violated its own internal policies and standards.

"Home Depot management’s attitude towards data security in the years and
months leading up to the breach can best be described as willfully
dismissive," the new lawsuit charges. "Notwithstanding the warnings and
pleas of many of its employees who recognized the vulnerability of millions
of customers’ sensitive information stored in Home Depot’s systems, Home
Depot management refused to upgrade its security systems, refused to follow
recommendations of information technology (“IT”) employees and experts, and
suffered from ineffective leadership in key IT security positions within
the organization."

The lawsuit lists a number of security upgrades that it says were "proposed
to Home Depot IT executives and explicitly rejected."

"These specific failures, among many others, are consistent with Home Depot
management’s overarching complacency when it came to data security," the
lawsuit states. "This included woefully understaffing Home Depot’s IT
security department, failing to heed the advice of IT security employees
and outside consultants, and hiring unqualified individuals to serve in key
IT security management positions."

Home Depot in September 2014 revealed that the payment card data and
personal information of 56 million customers had been hacked. At least 57
lawsuits were subsequently filed against the company by consumers and
financial institutions. Many of these have been consolidated into one big
court case that will be fought out in federal court in Atlanta beginning
this summer.

Judge Thomas W. Thrash, who is overseeing the case, has split it into two
tracks, one for consumers and one for financial institutions. The financial
institutions who claim they were hurt by the breach are expected to file a
consolidated lawsuit against Home Depot by May 15.

Home Depot has not yet responded in court to any of the lawsuits. But in a
statement to Atlanta Business Chronicle, Home Depot spokesman Stephen
Holmes noted that customers were not liable for fraudulent charges on their
cards. He added that the company strongly disagree with the claims and will
defend the case in the proper venue.

In addition to criticizing management, the lawsuit goes on to charge that
Home Depot did not invest sufficiently in information security.

"Over more than a decade, a clear pattern in Home Depot’s corporate
strategy has emerged: the company is willing to invest in technology that
will fuel its revenue growth and increase its profits, but Home Depot is
not willing to invest in implementing corresponding security measures that
do not provide an immediate boost to the bottom line," the lawsuit states.

The lawsuit details the stories of dozens of consumers who claim they were
personally injured by Home Depot's data breach.

To read these and the rest of the consumers' complaint, click here. (
http://media.bizj.us/view/img/5784511/home-depot-complaint.pdf)

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!