Home Depot’s data breach, estimated to be one of the biggest of all time, has now prompted a class action lawsuit on behalf of banks affected by costs of reissuing payment cards and notifying consumers.
First Choice Federal Credit Union filed a lawsuit against Home Depot in a Georgia district federal court, stating that it failed to maintain adequate data security standards. The bank commented in its complaint, “[The] Defendant failed to take adequate security measures despite well-publicized data breaches at large, national retail and restaurant chains in recent months, including Target, Sally Beauty, Harbor Freight Tools, and P.F. Chang’s. The attack underlying the Home Depot Data Breach involved mostly the same techniques as those used in other major data breaches in the preceding months and year. Despite having knowledge that such data breaches were occurring throughout the retail industry, Home Depot failed to properly defend sensitive payment card information from what is now a well-known, preventable angle of attack.”
First Choice noted that the situation had been worsened by Home Depot’s failure to detect the four-month-long breach, only learning of it after law enforcement and financial institutions informed the home improvement chain. This led to a “much greater” volume of data being stolen, the bank asserted.
“As a result of Home Depot’s negligence, vast amounts of customer information were stolen from Home Depot’s computer network,” First Choice charged. “Millions of Home Depot’s customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft, and have otherwise suffered damages. As a direct consequence, Plaintiff and members of the Class have incurred and will continue to incur significant costs associated with, among other things, notifying their customers of issues related tothe Home Depot Data Breach, closing out and opening new customer accounts, reissuing customers’ cards, and/or refunding customers’ losses resulting from the unauthorized use of their accounts. Additionally, Plaintiff and members of the Class have suffered and will continue to suffer lost revenues as a result of decreased usage of their customers’ debit/credit cards.”
First Choice and its 100 fellow plaintiffs are seeking damages for the costs caused by Home Depot’s alleged “negligence,” estimating that the costs exceed $5 million.
The complaint states that hackers accessed Home Depot’s payment processing systems via malware known as “RAM scraper” malware. It cited estimates from BillGuard, a private security firm, which used data sixteen data breaches in the past year, that the accounts compromised via the Home Depot breach could see up to $3 billion in fraudulent charges.
First Choice’s complaint reflects the apparent belief that retailers feel that fraudulent card activity are ultimately the responsibility of the banks issuing the cards. Consumers have also filed lawsuits over the breach, but the First Choice complaint marks the first time financial institutions have called upon retailers to take more responsibility for data breach losses. Banks have been growing more vocal in this arena, as recently reported by Advisen.