An Illinois man has sued Home Depot Inc., claiming a data breach at the store caused him and others to suffer damages.
Kelsey O’Brien filed a class action suit against Home Depot Sept. 9 in Chicago's federal court over its alleged failure to secure and safeguard customers’ personal financial data.
Beginning in April, hackers utilizing malicious software allegedly accessed the point-of-sale systems at Home Depot locations throughout the United States and Canada to steal customers’ debit and credit card information, as well as the city, state and ZIP code of the specific location where the card was used.
“In early September…this information was placed for sale on an underground website notorious for offering stolen card data,” the suit states. “Home Depot admits that it did not become aware of any potential breach for at least five months, until September 2, 2014.”
O’Brien claims in her suit that six days later, Home Depot confirmed the breach had in fact occurred and that customers’ personal, financial information had been stolen.
“Defendant’s security failures enabled the hackers to steal financial data from within defendant’s stores and subsequently make unauthorized purchases on customers’ credit and debit cards and otherwise put class members’ financial information at serious and ongoing risk,” the complaint states. “The hackers continue to use the information they obtained as a result of defendant’s inadequate security to exploit and injure class members across the United States.”
Home Depot failed to uncover and disclose the extent of the security breach and notify its affected customers of the breach in a timely manner, the suit alleges.
O’Brien contends that by failing to provide adequate notice, Home Depot prevented her and class members from protecting themselves from the security breach.
On Sept. 2, Home Depot’s banking partners and law enforcement officials notified the retailer of a potential data breach involving the theft of its customers’ credit card and debit card data and, that same day, multiple banks began reporting evidence that Home Depot stores were the likely source of a massive batch of stolen card data that went on sale that morning at rescator.cc, the same underground cybercrime shop that sold millions of cards stolen in the 2013 attack on Target.
O’Brien claims to uncover further details, the defendant’s forensics and security teams initiated an investigation in conjunction with outside IT security firms and the Secret Service.
On Sept. 8, the suit states, Home Depot announced that its investigation had confirmed that customers’ data was indeed compromised, and victims could include anyone who used a credit or debit card at any of the more than 2,200 Home Depot locations in the United States or Canada since April.
“The stolen card data being offered for sale on rescator.cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen,” the complaint states.
O’Brien claims the security breach was caused and enabled by the defendant’s knowing violation of its obligations to abide by best practices and industry standards in protecting customers’ personal information.
“Home Depot grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the security breach that occurred,” the complaint states.
O’Brien claims while many retailers, banks and card companies have responded to these recent breaches by adopting the use of microchips in U.S. credit and debit cards, technology that helps makes transactions more secure, Home Depot did not.
“In light of the breach, however, it has now announced that it plans to have chip-enabled checkout terminals at all of its U.S. stores by the end of 2014,” the complaint states.
O'Brien contends that the defendant’s failure to comply with reasonable security standards provided Home Depot with short-term and fleeting benefits in the form of saving on the costs of compliance, but at the expense and to the severe detriment of its own customers – including class members here – who have been subject to the security breach or otherwise have had their financial information placed at serious and ongoing risk.
The suit asserts Home Depot allowed widespread and systematic theft of its customers’ financial information.
O’Brien is seeking class certification, actual damages and punitive damages with pre- and post-judgment interest, and is being represented by Joseph J. Siprut and Gregory W. Jones of Siprut P.C.
The case has been assigned to U.S. District Judge Amy J. St. Eve.
U.S. District Court for the Northern District of Illinois case number: 1:14-cv-06975