Case ID
Home Depot 2014: $198M, the second retail POS breach that finished the EMV argument.
Nine months after Target, attackers ran the same play against Home Depot: steal a third-party vendor's credentials, pivot into the corporate network, and install custom memory-scraping malware on the self-checkout point-of-sale terminals. The malware ran undetected from April to September 2014 across US and Canadian stores, capturing 56 million payment cards and 53 million email addresses. Home Depot's SEC filings recorded $198M in cumulative net breach cost. Coming so soon after Target, the case removed any remaining doubt in US retail boardrooms about migrating to EMV chip cards.
Cards exposed
56M
Payment-card data
Emails exposed
53M
Email addresses
Net cost
$198M
SEC-disclosed, after insurance
Exposure window
5 months
Apr to Sep 2014
Direct answer / How much did the Home Depot breach cost?
Home Depot recorded $198 million of cumulative pretax net expenses related to the 2014 data breach, per its SEC Form 10-K for fiscal 2016, after roughly $100 million of expected insurance recoveries. The company-disclosed cost includes the litigation settlements that resolved the breach: a $19.5M consumer class-action settlement (2016), a $25M financial-institution class-action settlement (2017), and a $17.5M multistate attorneys-general settlement with 46 states and DC (2020), alongside roughly $134.5M in reported payments to the payment-card networks and issuing banks.
Section HD.1
The vendor credential and the self-checkout POS malware
The intrusion began with a third-party vendor. Attackers obtained a vendor's username and password and used them to log in to a peripheral part of Home Depot's network. Those credentials did not grant direct access to the payment environment; instead the attackers exploited a Windows vulnerability to elevate privileges and move laterally, eventually reaching the point-of-sale systems. The entry pattern was near-identical to the Fazio-vendor pivot that had breached Target nine months earlier, which is part of why the case landed so heavily in the retail sector.
On the POS terminals the attackers installed a custom strain of memory-scraping malware that Home Depot's security team reported having never seen before, a variant of the same BlackPOS/FrameworkPOS family used against Target. The malware read unencrypted payment-card data out of terminal memory at the moment of swipe. Critically, the infection was confined to the self-checkout terminals rather than the full cashier-staffed register fleet, which limited the compromise to roughly a subset of transactions but still exposed 56 million cards over the five-month window. Home Depot later confirmed that 53 million customer email addresses were taken in the same intrusion.
The five-month dwell time, from around 10 April to 13 September 2014, is the detail that defines the case. As with Target, the failure was not a single missing control but a chain: an over-trusted vendor account, insufficient network segmentation between the vendor-facing network and the card environment, and POS terminals processing card data in cleartext in memory. Home Depot disclosed the breach publicly on 8 September 2014 after security reporter Brian Krebs surfaced evidence of stolen cards traced to its stores, and confirmed the malware had been removed by mid-September.
Primary source:Breach mechanics and scale from Home Depot press statements (September and November 2014), CNN Money and NBC News reporting on the 53 million stolen email addresses (6 November 2014), and Infosecurity Magazine reporting on the third-party vendor credential vector.
Section HD.2
The $198M cost composition
| Cost line item | Amount | Source |
|---|---|---|
| Payment-card network and bank recovery payments | ~$134.5M | Reported (Fortune, March 2017) |
| Financial-institution class-action settlement | $25M (+$2.25M) | In re Home Depot Data Breach Litigation, 2017 |
| Consumer class-action settlement | $19.5M | N.D. Georgia consumer settlement, 2016 |
| Multistate AG settlement (46 states + DC) | $17.5M | Multistate AG announcement, 24 Nov 2020 |
| Gross pretax breach expenses (cumulative) | ~$298M | Home Depot SEC 10-K, fiscal 2016 |
| Insurance recovery (offset) | -($100M) | Home Depot SEC 10-K disclosures |
| Net pretax breach cost (cumulative) | $198M | Home Depot SEC 10-K, fiscal 2016 |
The $198M headline is the cumulative pretax net figure Home Depot disclosed in its fiscal-2016 Form 10-K: gross pretax expenses of roughly $298M, offset by approximately $100M of expected insurance proceeds. The litigation settlements listed above are the components that resolved the breach rather than four separate additions on top of the net total; the payment-card recovery, consumer and financial-institution settlements sit inside the expensed figure, while the $17.5M multistate settlement was reached in November 2020, after that 10-K. The insurance recovery of roughly one third of gross cost mirrors the Target precedent that cyber-insurance ran materially below total breach exposure for large retailers in this era.
Section HD.3
The litigation: consumers, banks, and the states
The consumer class action settled first. In 2016 Home Depot agreed to a $19.5M fund covering documented out-of-pocket losses for affected cardholders plus 18 months of identity-protection services, along with a commitment to specific security improvements. The per-person recovery was modest, consistent with payment-card breaches where issuers, not cardholders, absorb the direct fraud loss through reissuance and chargebacks.
The financial-institution litigation was the more consequential track. More than 60 banks and credit unions consolidated their claims, arguing that Home Depot's security failures forced them to bear reissuance and fraud-reimbursement costs. In March 2017 Home Depot agreed to pay $25M into a fund for institutions that had not already released their claims, plus a further $2.25M for certain institutions whose claims had been released, along with notice and administration costs. That settlement, layered on the roughly $134.5M Home Depot had already paid the card networks and banks through card-brand recovery programs, is why Fortune reported the breach's costs had topped $179M by March 2017.
The regulatory track closed last. On 24 November 2020 Home Depot settled with a coalition of 46 state attorneys general and the District of Columbia for $17.5M, alongside a set of injunctive security requirements: appointing a chief information security officer, deploying specific safeguards for cardholder data, and maintaining a documented information-security program subject to third-party assessment. The six-year gap between the breach and the AG settlement is itself instructive on the long tail of breach cost, the same pattern the Target case established.
Primary source:Settlement figures from the consumer class settlement (N.D. Georgia, 2016), In re: The Home Depot, Inc., Customer Data Security Breach Litigation financial-institution settlement (2017, reported by Crowell & Moring and Patterson Belknap), Fortune reporting on the aggregate cost (9 March 2017), and the multistate attorneys-general settlement announcements of 24 November 2020 (New York, Texas, and Delaware AG press releases).
Section HD.4
Two breaches in nine months: the EMV tipping point
Target on its own had already moved EMV chip migration up the retail agenda, but the arrival of a near-identical breach at a second national retailer within nine months is what removed the remaining resistance. The EMV liability shift for US card-present transactions had been scheduled by Visa and Mastercard for October 2015 before either breach; the two cases turned a deferrable capital project into a board-level mandate. Home Depot itself accelerated its chip-reader rollout, completing enablement across its US stores ahead of the liability-shift deadline.
The structural lesson the pair delivered was that magstripe POS data in terminal memory was the crown jewel and that chip-and-PIN or chip-and-signature broke the counterfeit-card economics behind these breaches. Visa reported that counterfeit-fraud dollars at fully chip-enabled US merchants fell 87% between September 2015 and March 2019. Home Depot and Target were the two single largest catalysts for that investment cycle, and after 2015 large-scale magstripe-clone breaches of this exact shape became markedly rarer as the card-present attack surface shifted toward card-not-present fraud online.
One contrast with Target is worth recording. Target's breach produced the first CEO departure attributable to a data breach, when Gregg Steinhafel resigned in May 2014. Home Depot saw no comparable executive fallout: its leadership transition through this period was already in train and was not framed as a consequence of the breach. The divergent governance outcomes, similar breach mechanics but very different executive consequences, became a case study in how much the board and market reaction depends on framing, timing, and the perceived adequacy of the response rather than on breach scale alone.
Cross-references
Case / Target 2013
→The template breach: HVAC-vendor pivot, $292M, first breach-driven CEO exit.
Industry / Retail
→Sector context: $3.54M average, PCI DSS economics.
Regulation / PCI DSS
→Card-brand fines, reissuance economics, PFI mandates.
Cost / Class actions
→Consumer and bank class settlements per affected person.
Cost / Forensics
→PCI Forensic Investigator engagement scope and cost.
Index / All breach cases
→Verified mega-breaches with sourced cost figures.
Schedule F / Reference Q&A
Frequently Asked Questions
Primary source:Home Depot 2014 breach data from Home Depot SEC 10-K filings (fiscal 2014 to 2016), the consumer class settlement (N.D. Georgia, 2016), the financial-institution settlement in In re: The Home Depot, Inc., Customer Data Security Breach Litigation (2017), the multistate attorneys-general settlement of 24 November 2020, Fortune coverage (9 March 2017), and CNN Money and NBC News reporting on the 53 million exposed email addresses (November 2014).