A consolidated class action lawsuit filed in U.S. District Court in Atlanta, Ga. Wednesday listed 37 credit unions, 16 state leagues, CUNA and 11 banks that claimed the 2014 Home Depot data breach caused billions of dollars in fraud losses and more than $150 million in card reissuance costs.
Between April 2014 and September 2014, hackers breached Home Depot’s data security systems and stole the personal and financial information of 56 million customers across the nation. That information was sold on the Internet to thieves who made a massive number of fraudulent transactions on the credit and debit cards, the 102-page lawsuit claimed.
“Industry sources estimate that community banks and credit unions – which together issued only a fraction of the compromised cards – incurred more than $150 million in reissuance costs alone,” according to the lawsuit. “Industry sources further estimate that the total fraud losses for all financial institutions are in the billions of dollars.”
Stephen Holmes, a spokesperson for Home Depot in Atlanta, said the company disagrees with the lawsuit’s allegations and plans to launch a vigorous defense.
Although CUNA and the 16 state credit union leagues/associations are not seeking monetary damages, they are asking for “equitable relief” on behalf of their members, according to the lawsuit. That equitable relief may come in the form of a declaratory and injunctive relief order that would require Home Depot to fix its data security measures.
According to the lawsuit, Home Depot’s data security measures allegedly remain inadequate because fraudulent charges are still being made on payment cards financial institutions issued to Home Depot customers.
Holmes said Home Depot strongly denies that its data security measures are inadequate.
“IT security has been extremely important to us long before the breach occurred and we’ve put measures in place to enhance our security,” he said. “One example of that would be the enhanced encryption we put in place and had started well before the breach occurred.”
However, the cover page of the lawsuit features this quote by Frank Blake, Home Depot’s recently retired CEO and current board chair: “If we rewind the tape, our security systems could have been better…data security just wasn’t high enough in our mission statement.”
Richard L. Ensweiler, president/CEO of the Cornerstone Credit Union League in Farmers Branch, Texas, said as the largest regional trade association representing more than 540 credit unions in Arkansas, Oklahoma and Texas, Cornerstone needed to join the lawsuit to support its cooperatives and hold retailers accountable.
“According to national survey data compiled by CUNA, the Home Depot data breach cost credit unions more than $57 million of their members’ money to reissue cards that were not appropriately protected,” Ensweiler said. “As not-for-profit financial institutions owned by their members, credit unions are forced to clean up the mess caused by data breaches by notifying their member-owners, reissuing debit and credit cards, and adding staff to support member inquiries and monitor consumer accounts while retailers are often able to walk away and absolve themselves of the costs to consumers or financial institutions.”
Other state leagues/associations that joined the consolidated class action suit are those located in California, Nevada, Georgia, Illinois, Indiana, Maine, Michigan, Mississippi, New York and Ohio. Other regional leagues that joined the lawsuit are the Mountain West Credit Union Association, which represents credit unions in Arizona, Wyoming and Colorado, and the Credit Union Association of the Dakotas.
The lawsuit is seeking an unspecified money judgment for the 37 credit unions and 11 banks to compensate them for their losses.