40 million; the number of credit and debit card numbers stolen in the Target data breach of 2013. 200 million; the number of dollars credit unions and community banks spent reissuing only half of them. 1-3 million; the estimated number of these cards’ data successfully sold on the black market and fraudulently used before their issuing banks cancelled them. 5; the number of months ‘clandestine’ malware on Neiman Marcus systems operated and stole newly issued credit card information. 47; the percentage of world credit/debit card fraud that takes place in the United States. 18; the number of people, on average, whose stolen credit or debit card information just made them victims of identity theft before you even finished reading this paragraph.
Data breaches like Target and Neiman Marcus have prompted numerous consumer lawsuits against companies alleged of not doing enough to protect collected information about their customers. The effect of the media coverage over these data breaches combined with legislator concern and filed complaints has thrown the issue of consumer data protection into the spotlight.
One such lawsuit was filed on September 24, 2014 as Shonna Earls and John Holt Senior filed a class action against The Home Depot, Inc. in the U.S. District Court for the Northern District of California. The complaint alleges breaches of the California Customer Records Act as well as a violation of the California Unfair Competition Law among allegations of negligence on the part of Home Depot in managing recorded information.
The Breach
Home Depot confirmed that on September 18, 2014, 56 million credit and debit cards were exposed by hackers in the breach. The data stolen apparently centered on customer information recorded by the stores’ payment card systems which tracked the magnetic strip of the cards swiped and included customers’ names, card numbers, expiration dates, and CVV security codes. This type of information was also the targeted information in the Target and Neiman Marcus breaches. The popularity of this information among hackers comes from the ability to use this information to create new cards or make fraudulent purchases over the internet.
Home Depot has also confirmed that 53 million emails of customers were stolen in the hacks too. Home Depot has warned customers that this information could potentially be used in phishing scams online when hackers pose as Home Depot giving away gift cards or the like to trick consumers into disclosing personal financial information.
KrebsOnSecurity reports that the hack happened due to a variant of the “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows. This was similar to the methodology used in the 2013 Target data breach. The investigation has yielded information that the attackers broke into Home Depot’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services a third-party provider of refrigeration and HVAC systems.
The New York Times has covered accusations from former employees who said that Home Depot was slow to install updated security mechanisms to prevent the breach in the first place. Furthermore, former employees wondered whether Home Depot did not meet industry standard guidelines for securing credit and debit card data – attributing the extent of the breach to lax security measures.
The Fallout
Following the news of the breach, multiple financial institutions reported a steep increase in fraudulent ATM withdrawals on customer accounts. Home Depot estimates the breach will cost the company $62 million. Higher estimates are projected by some sources whereas the breach cost Home Depot $43 million in the third quarter of 2014 alone. Those same sources point to the 2013 Target breach costing upwards of $1 billion.
In addition to the Earls lawsuit, there are also 43 additional civil suits being filed against Home Depot across the United States.
In addition to the security upgrades and legal costs, Home Depot informed customers that it would be providing free identity protection services to anyone who used their cards at Home Depot in 2014.
Shareholders have expressed concern that news of the breach may hurt Home Depot’s stock price looking at the 14% drop in Target’s price only a couple months out from news of its breach in 2013. However, according to Google Finance, Home Depot’s stock value has actually increased to close out the year nearly 12 points higher than in September when the news was announced.
The Lawsuit
Shonna Earls personally incurred $543.95 in unauthorized charges in September, 2014 after using her credit card at her local Home Depot. John Holt Sr. was notified by his bank that fraudulent activity was taking place on his debit card that he had recently used at Home Depot. The two plaintiffs are named in a nation-wide and California-wide class action suit.
The complaint alleges Home Depot violated multiple sections of California law by failing to implement reasonable security procedures and practices to protect consumer credit and debit card information. Additionally, the complaint alleges Home Depot violated California law by failing to promptly notify class members that their personal information had been compromised.
California Civil Code § 1798.80 requires any business that owns or licenses personal information about a California resident to maintain reasonable security procedures appropriate to the nature of the information. The complaint alleges that Home Depot violated this section by keeping customers’ personal data within its custody longer than necessary and by failing to properly and adequately dispose or make customers’ data undecipherable.
The complaint further alleges Home Depot violated California Civil Code § 1798.82 by failing to promptly notify all affected Home Depot customers that their personal information had been exposed by hackers.
The second cause of action alleges that Home Depot violated California Business and Professions Code § 17200 by failing to take reasonable security measures to protect its customers’ data, and because they didn’t notify customers of the breach in a timely manner. It further alleges that Home Depot engaged in unfair business practices and conduct that undermines or violates the stated policies underlying the California Customer Records Act.
The third cause of action alleges that Home Depot owed Plaintiffs and members of the class a duty to exercise reasonable care in safeguarding and protecting that information – a duty underscored by the California Customer Records Act. Plaintiffs allege that timely disclosure was necessary to alert plaintiffs and allow them to, among other things, monitor their bank accounts, undertake appropriate measures to protect their identify and avoid unauthorized charges, and otherwise prevent or mitigate the risk of fraudulent cash withdrawals or unauthorized transactions.
The class requests that Home Depot submit itself to a third-party security audit and testing regimen, update its data security policies, destroy all non-necessary customer information, better educate its personnel on the need for data security, and better educate its customers about the risks they now face in light of the breach and how they may protect themselves.
The Adventure Continues
The Earls lawsuit is just the latest chapter in the saga of retail data breaches and the public prioritization of consumer information privacy. Former employees have filed a lawsuit against Sony over the recent hack by the “Guardians of Peace”. On December 4, 2014, U.S. District Judge Paul Magnuson ruled to allow a lawsuit by financial institutions against Target for allowing their computer systems to be breached to proceed. In January, Nieman Marcus was hit with a proposed class action lawsuit in federal court seeking to hold the retail chain accountable for separate data breaches that put customer payment information at risk. The Michaels craft store chain was hit with a similar lawsuit by Michael and Jessica Gouwens in Illinois alleging the retailer has failed to sufficiently step up security measures following a three-year-old security breach.
Responses to recent data breaches are not limited to judicial action. In the wake of the 2013 Target data breach, ranking members of Congress called for committee hearings to explore how to better protect consumers and ensure private companies are held accountable for failures to secure their customers’ data. This is reflective of polling information that indicates stolen credit card information tops the list of crimes Americans worry about the most. The public conscience, legislative priority, and judicial focus are all fixed upon how to secure consumers’ information in the twenty-first century. Regardless of the outcome of any single case, the issue remains. While the twenty-first century may be the century of big data; the courts, federal and state officials, and the general public will also take measures to ensure it is also the century of big data protection.