This week’s revelation by The Home Depot Inc. that it has incurred $263 million in expenses from its 2014 data breach means that the home-improvement retailer’s breach costs, together with those of another big-box retailer, Target Corp., now total $554 million.
In a quarterly regulatory filing Tuesday, Atlanta-based Home Depot said it expects its gross pre-tax breach costs to be partially offset by $100 million in insurance proceeds, bringing its net expense to $163 million.
Malware planted on Home Depot’s payment-processing system compromised up to 56 million credit and debit payment cards used in self-checkout lanes at U.S. and Canadian stores between April and September of 2014. Fraudsters also stole separate files containing 53 million email addresses. Home Depot said in an earlier filing that the fraudsters used a vendor’s user name and password “to enter the perimeter of the company’s network” and eventually plant the malware.
In March, Minneapolis-based Target revealed in its annual report that cumulative expenses from its late-2013 breach totaled $291 million through fiscal 2015, which ended Jan. 31. Target expects insurance reimbursements to bring its net expense to $201 million. The breach compromised 40 million credit and debit cards and 70 million non-card customer records.
Home Depot’s breach-related expenses included investigation expenses, the costs of providing customers with credit-monitoring and identity-protection services, extra customer service, legal costs, and claims from the card networks on behalf of issuers to cover fraud losses and card re-issuance, as well as network assessments, or fines.
Plaintiffs filed 57 class-action lawsuits in the U.S. and Canada after the breach, according to the recent filing. Home Depot in March agreed in principle to settle the U.S. customer suits, which have been consolidated in U.S. District Court in Atlanta, for about $19.5 million. The company also has agreed to a tentative settlement of the Canadian consumer actions. Both the U.S. and Canadian pending settlements await final court approval. A Home Depot spokesperson said Thursday that the company has no updates on the settlements.
Home Depot last year also settled the claims from the four major card networks. But the breach will continue to generate more costs, which Home Depot says it can’t yet estimate. A class action filed by card issuers remains ongoing. The issuers claim they’ve sustained at least $150 million in re-issuance costs alone, according to the JD Supra LLC legal blog.
“Issuers were not pleased with the Visa and MasterCard settlements; many with whom I spoke said that they only recouped a small portion of the expenses that those breaches incurred,” Julie Conroy, research director at Boston-based Aite Group LLC, tells Digital Transactions News by email.
Also ongoing is a shareholder class action and investigations by various state and federal agencies.
While more than half a billion dollars sounds like big money, the Home Depot and Target breach expenses so far work out to less than $6 per affected cardholder. That’s not enough financial exposure to spur retailers to improve their data-security systems, according to Al Pascual, director of fraud and security at Pleasanton, Calif.-based Javelin Strategy & Research. Most expenses go for remediation, credit monitoring for customers, and network fines, Pascual says by email.
“What is unfortunate is that civil settlements are unlikely to be a major factor in either of these numbers,” he says, adding that “if we had a system more conducive to holding breached organizations accountable,” the retailers’ costs “would have been considerably different.”
Home Depot said shortly after the breach that it was enhancing security with new EMV chip card acceptance and data encryption.