More than 50 million Home Depot customers impacted by the retailer’s 2014 data breach will receive part of a $19.5 million settlement. The retailer has agreed to set up a $13 million fund to reimburse shoppers for out-of-pocket losses and to spend at least $6.5 million for 18 months of identity protection services, according to Reuters.
In addition to payment card data, more than 53 million Home Depot customers’ email addresses were stolen by cyberthieves during the data breach, which took place over five months in 2014.
Under the settlement, filed Monday in Atlanta federal court, Home Depot admits no wrongdoing or liability. However, the retailer will initiate a two-year program of data security improvements overseen by a chief information security officer, and will separately pay legal fees and related costs for affected customers. The agreement still requires the court’s approval.
Advertisement
“We wanted to put the litigation behind us, and this was the most expeditious path,” said Home Depot spokesman Stephen Holmes in a statement. “Customers were never responsible for any fraudulent charges.”
The settlement doesn’t cover pending lawsuits from financial institutions, which also can represent an expensive penalty for vulnerable retailers. Target’s 2013 data breach, which involved the theft of personal information from as many as 110 million people, cost the retailer only $10 million to settle with consumers. However, the retailer found itself on the hook for another $106.4 million in payments to Visa, MasterCard and various banks.