When pondering how much to spend on cybersecurity defenses, be sure to consider the cost of a retail data breach. Ill-advised security practices and a lack of proper cybersecurity defenses can cost a company dearly. That was certainly the case for Home Depot.
A data breach of the scale of that which impacted Home Depot in 2014 can cost hundreds of millions of dollars to address. The Home Depot data breach was huge. It was the largest retail data breach involving a point of sale system ever to be reported. Malware had been downloaded that allowed cyber criminals to obtain over 50 million credit card numbers from Home Depot customers and around 53 million email addresses.
The Home Depot cyberattack was conducted using credentials that had been stolen from one of the retailer’s vendors. Those credentials were used to obtain access to the network, the attackers then elevated privileges, and moved laterally undetected until they found what they were looking for: The POS system. Malware was downloaded that recorded credit card details as payments were made, and the information was silently exfiltrated to the attacker’s servers. The malware infection went unnoticed for five months between April 2014 and September 2014.
Last year, Home Depot agreed to pay out $19.5 million in damages to customers that had been impacted by the breach. The payout included the costs of providing credit monitoring services to those affected by the breach. Home Depot has also paid out a minimum of $134.5 million to credit card companies and banks. The latest settlement amount will permit banks and credit card companies to submit claims for $2 per compromised credit card without having to show proof of losses suffered. If banks can show losses, they will have up to 60% of their losses compensated.
The total cost of the retail data breach is approximately $179 million, although that figure does not incorporate all legal fees that Home Depot must pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be much bigger and is likely to pass the $200 million mark.
Then there is the reputation damage suffered as a result of the data breach. Following any data breach, customers often take their business elsewhere and many consumers that were affected by the Home Depot breach said they would not shop there again. A number of studies have been carried out on the fallout from a data breach, with one HiTrust study suggesting companies may lose up to 51% of their customers following a breach of sensitive data.