As reported by Reuters, Home Depot Inc, the largest U.S. home improvement retailer, on Tuesday reached a $17.5 million settlement to resolve a multistate probe into a 2014 data breach where hackers accessed payment card data belonging to 40 million customers.
The settlement stemmed from a breach between April 10, 2014, and Sept. 13, 2014, affecting customers who used self-checkout terminals at its U.S. and Canadian stores.
Hackers used a vendor’s user name and password to infiltrate Home Depot’s network, and deployed custom-built malware to access customers’ payment card information. The Atlanta-based retailer previously said at least 52 million people also had their email addresses exposed, partially overlapping those whose payment card data was compromised.
Punishing huge companies must set a precedent but we don’t want to see any company forced out of business for a mistake which may have been out of their control. Data breaches happen in a variety of ways and many could have been avoided with best practice, simulation attacks and better staff training. However, many are simply unavoidable and bad luck which do not require much more punishment other than the negative publicity they will no doubt attract. Maybe if the fines were reduced if companies were more open to how they were breached, we may see a change in how they are reported and penalised.