Home Depot’s security breach 18 months ago was hugely embarrassing for the company, and only now is it coming near to finally bringing the matter to a close.
The retail giant said Tuesday it’s agreed to pay a minimum of $19.5 million in compensation to customers caught up in the incident that saw cybercriminals nab payment card information and email addresses belonging to tens of millions of Home Depot shoppers.
If approved by the courts, the settlement will take care of nearly 60 proposed class-action lawsuits that resulted from the security breach, though Home Depot has always denied any wrongdoing or liability.
The agreement includes the launch of a $13-million fund to reimburse Home Depot customers for any losses – including legal fees – incurred as a result of the hack, and the retailer will also pay for 18 months of cardholder protection services at a cost of at least $6.5 million.
Home Depot spokesperson Stephen Holmes told Reuters, “We wanted to put the litigation behind us, and this was the most expeditious path,” adding, “Customers were never responsible for any fraudulent charges.”
The security breach, which took place between April and September 2014, saw hackers steal payment card information belonging to around 40 million Home Depot shoppers, and also a database of up to 53 million customer email addresses.
Home Depot said at the time that that hackers had accessed its computer network through the use of a third-party vendor’s username and password, explaining: “The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on [our] self-checkout systems in the U.S. and Canada.”
The hack occurred alongside other similar high-profile incidents, and came a few months after Target revealed cybercriminals had stolen personal data belonging to around 100 million of its own customers.
In May 2015, Target agreed to pay $10 million to shoppers affected by the breach, and later in the year settled with Visa in a deal worth $67 million to compensate banks and other firms that issue its cards. The payout took care of costs incurred by card issuers as a result of the hack, covering actions such as sending out new cards and dealing with any resulting fraud.