The Home Depot A $38 million credit union opened the legal floodgates in response to Home Depot's recent card data breach, filing a proposed class-action lawsuit to recover up to $5 million in losses.

First Choice Federal Credit Union in New Castle, Penn., is the lead plaintiff in the suit, which lists more than 100 potential plaintiffs and estimates that class-action damages total at least $5 million, exclusive of interest and costs, according to court documents.

Home Depot should be held accountable for failing to prevent or detect the breach, according to Gary Lynch, a partner the Pittsburgh-based law firm Carlson Lynch Sweet & Kilpela, LLP, which filed the lawsuit Sept. 16 in the Atlanta division of the U.S. District Court for the Northern District of Georgia.

“After seeing the same type of attack on other retailers in the last two years, it is simply unacceptable that Home Depot allowed this to happen,” Lynch said in a prepared statement sent to CU Times. “And if it's true that they didn't detect the hack for four months, that's even worse.”

Lynch also represents financial institutions and serves on the Plaintiffs' Executive Committee in the consolidated Target suit.

Following last year's Target card data breach, the $211 million Alabama State Employees Credit Union was the first financial institution to sue that retailer.

First Choice also sued Target.

Home Depot acknowledged that hackers gained access to card data as early as April of this year and most likely affected all of its 2,200 stores in the United States and Canada, according to the complaint.

“The exact number of compromised cards is unknown at this time, but given the length of the breach and the number of stores involved, tens of millions of Americans could be victims,” a press release issued by Carlson Lynch Sweet & Kilpela, LLP said. “Reports indicate that batches of the stolen data are already being sold by criminals on underground websites and some experts have estimated that the breach could cost financial institutions more than $2 billion through fraudulent transactions.”

The Home Depot attack involved mostly the same techniques used in other recent major data breaches, according to the complaint.

“Despite having knowledge that such data breaches were occurring throughout the retail industry, Home Depot failed to properly defend sensitive payment card information from what is now a well-known, preventable angle of attack,” the complaint said.

Home Depot only learned of the breach from law enforcement and financial institutions,

according to court documents.

The volume of data stolen was much greater than it would have been if Home Depot monitored its data security adequately enough to identify and eliminate the attack as it was occurring, the complaint said.

Even before the Home Depot breach was confirmed, many credit unions, such as the $2.3 billion Affinity Federal Credit Union in Basking Ridge, N.J. and the $60 billion Navy Federal Credit Union in Vienna, Va., had taken proactive steps to protect members such posting warnings on websites and monitoring member credit cards that might have been involved in a breach.

Instant Insights /

Home Depot Breach: Small Credit Union Sues

Related Stories

Recommended For You