CHICAGO (Legal Newsline) - An Illinois man has sued Home Depot Inc. after he claims a data breach at the store caused him and other class members damages.
Kelsey O'Brien brought the class action against Home Depot for its failure to secure and safeguard its customers’ personal financial data, according to a complaint filed Sept. 9 in the U.S. District Court for the Northern District of Illinois.
Beginning in April, hackers utilizing malicious software accessed the point-of-sale systems at Home Depot locations throughout the United States and Canada and absconded with customers’ debit and credit card information, as well as the city, state and ZIP code of the specific location where the card was used, according to the suit.
"In early September...this information was placed for sale on an underground website notorious for offering stolen card data," the complaint states. "Home Depot admits that it did not become aware of any potential breach for at least five months, until September 2, 2014."
O'Brien claims six days later, Home Depot confirmed that the breach had in fact occurred and that customers’ personal, financial information had been stolen.
"Defendant’s security failures enabled the hackers to steal financial data from within defendant’s stores and subsequently make unauthorized purchases on customers' credit and debit cards and otherwise put class members' financial information at serious and ongoing risk," the complaint states. "The hackers continue to use the information they obtained as a result of defendant’s inadequate security to exploit and injure class members across the United States."
Home Depot failed to uncover and disclose the extent of the security breach and notify its affected customers of the breach in a timely manner, according to the suit.
O'Brien claims by failing to provide adequate notice, Home Depot prevented class members from protecting themselves from the security breach.
On Sept. 2, Home Depot's banking partners and law enforcement officials notified the retailer of a potential data breach involving the theft of its customers' credit card and debit card data and, that same day, multiple banks began reporting evidence that Home Depot stores were the likely source of a massive batch of stolen card data that went on sale that morning at rescator.cc, the same underground cybercrime shop that sold millions of cards stolen in the 2013 attack on Target.
O'Brien claims to uncover further details, the defendant’s forensics and security teams initiated an investigation in conjunction with outside IT security firms and the Secret Service.
On Sept. 8, Home Depot announced that its investigation had confirmed that customers’ data was indeed compromised, and victims could include anyone who used a credit or debit card at any of the more than 2,200 Home Depot locations in the United States or Canada since April, according to the suit.
"The stolen card data being offered for sale on rescator.cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen," the complaint states.
O'Brien claims the security breach was caused and enabled by the defendant's knowing violation of its obligations to abide by best practices and industry standards in protecting customers' personal information.
"Home Depot grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the security breach that occurred," the complaint states.
O'Brien claims while many retailers, banks and card companies have responded to these recent breaches by adopting the use of microchips in U.S. credit and debit cards, technology that helps makes transactions more secure, Home Depot did not.
"In light of the breach, however, it has now announced that it plans to have chip-enabled checkout terminals at all of its U.S. stores by the end of 2014," the complaint states.
The defendant's failure to comply with reasonable security standards provided Home Depot with short-term and fleeting benefits in the form of saving on the costs of compliance, but at the expense and to the severe detriment of its own customers – including class members here – who have been subject to the security breach or otherwise have had their financial information placed at serious and ongoing risk, according to the suit.
O'Brien claims Home Depot allowed widespread and systematic theft of its customers’ financial information.
"Defendant’s actions did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ financial information," the complaint states.
O'Brien is seeking class certification, actual damages and punitive damages with pre- and post-judgment interest. He is being represented by Joseph J. Siprut and Gregory W. Jones of Siprut PC.
The case is assigned to District Judge Amy J. St. Eve.
U.S. District Court for the Northern District of Illinois case number: 1:14-cv-06975
From Legal Newsline: Kyla Asbury can be reached at firstname.lastname@example.org.