Hacked hardware mart Home Depot has forked out $43m to quash spot fires emanating from the data breach inferno this year, SEC filing documents show.
The payout covered damages from the theft of 56 million payment cards and 53 million email addresses.
It covered the cost of investigating this year's five-month-long breach, hiring expensive forensics teams, call centre operators to field angry customer inquiries, and free credit monitoring for victims.
"Expenses include costs to investigate the data breach; provide identity protection services, including credit monitoring, to impacted customers; increase call center staffing; and pay legal and other professional services, all of which were expensed as incurred," the filing read.
Home Depot had deployed encryption to protect card data and introduced EMV payment terminals into stores.
More financial pain could be on the way if payment card networks invoice Home Depot for fraud against cards.
About $15m of the $43m was expected to be paid out under its $100m data breach insurance policies.
"It's probable that the payment card networks will make claims against the company," Home Depot said in the filing. "The ultimate amount of these claims will likely include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card re-issuance costs) that the payment card networks assert they, or their issuing banks, have incurred."
The attack was said to have leveraged third-party credentials which carders used to gain access and then pivot laterally within the Home Depot network.
More blood would have been spilt if the attackers had recognised 70,000 additional registers that bore numerical device names, and hence were not immediately recognisable as payment terminals.
Attackers remained hidden for five months, infiltrating the network only during US business hours to stay under security radars. ®