In a recent SEC filing, Home Depot stated that a recent data breach that exposed 56 million credit cards and 53 million email addresses cost the company $43 million in the third quarter of 2014 alone.
Specifically, Home Depot says it "recorded $43 million of pretax expenses related to the data breach, partially offset by a $15 million receivable for costs the company believes are reimbursable and probable of recovery under its insurance coverage, for pretax net expenses of $28 million."
Those expenses, according to the filing, included "costs to investigate the data breach; provide identity protection services, including credit monitoring, to impacted customers; increase call center staffing; and pay legal and other professional services."
Home Depot also anticipates lawsuits by payment card networks seeking reimbursement for fraud losses and for operating expenses such as the cost of issuing replacement cards. "At this time, the company believes it is probable that the claims will be asserted and that settlement negotiations will ensue, and believes that a loss in connection with these claims is reasonably possible," the filing states.
Still, the filing notes that it's too early to anticipate the likely cost of those settlements.
The SEC filing also states that at least 44 lawsuits have already been filed, and more may be filed in the future, by customers, banks, shareholders and others, along with investigations by state and federal agencies that may result in fines. As with the anticipated lawsuits by payment card networks, Home Depot says it's too early to anticipate the costs resulting from those lawsuits and fines.
Notably, the SEC filing acknowledges that the $43 million in expenses in Q3 2014 is just the beginning.
"The company expects to incur significant legal and other professional services expenses associated with the data breach in future periods," the filing states.
The filing also states that the investigation into the breach hasn't yet concluded.
"It is possible that we will identify additional information that was accessed or stolen, or other unforeseen developments related to the data breach could occur, which could have a further adverse impact on our operations, financial results and reputation," the filing states.
HyTrust president and founder Eric Chiu told eSecurity Planet by email that the total cost of any massive data breach is inevitably difficult to quantify. "The $43 million cost to Home Depot is just the immediate cost of investigation and remediation, which will be small compared to the cost of the 44 lawsuits facing the company as well as any regulatory fines," he said.
"In the case of a similar example at Target Stores, the total estimated cost of the massive data breach that occurred in November 2013 was close to $1 billion in addition to major executives, including the CEO, who lost their jobs," Chiu added.
A recent eSecurity Planet article offered advice on how to respond to a data breach.
Photo courtesy of Shutterstock.