Major retailer Home Depot has revealed that it is willing to pay up to $19.5 million toward the settlement of a class-action lawsuit brought forward by customers affected in an infamous security breach from 2014. The breach, one of the largest ever, saw the credit card information of some 56 million Home Depot customers stolen by hackers.
The home improvement retailer will set up a $13 million fund to reimburse shoppers who suffered out-of-pocket losses. The retailer also pledged to spend at least another $6.5 toward funding identity protection services for cardholders, according to Reuters.
As a part of its settlement offering, the retailer also agreed to improve its data security over the next two years. It will also hire a chief information security officer to oversee progress in better security. The terms will the retailer pay legal fees and related costs separately for consumers who have been affected by the data breach. Legal fees and costs for the lawyers could come up to $9 million, court papers revealed.
Related read: Home Depot Targeted in a Recent Cyber-Attack
The terms of this preliminary settlement offer was disclosed in papers filed at the federal court in Atlanta, where the retailer is based. In its settlement offer, Home Depot did not admit to any liability or wrongdoing, despite its offer to settle. The settlement offer will require court approval.
“We wanted to put the litigation behind us, and this was the most expeditious path. Customers were never responsible for any fraudulent charges,” stated Stephen Holmes, spokesman for Home Depot.
The breach affected people who used payment cards at its self-checkout terminals in US and Canadian stores between April and September 2014. Forensic investigations revealed that the intruder used a vendor’s user name and password in order to infiltrate Home Depot’s computer network. Custom-built malware was then used to access the payment information of shoppers.
The settlement accord covers about 40 million people whose payment card information was stolen. It also covers between 52 to 53 million people who had their email addresses stolen, many who were among the group who also had their payment card details stolen.
Altogether, the data breach resulted in at least 57 proposed class action lawsuits filed across courts in Canada and the United States. The US cases were consolidated in the federal court in Atlanta.
Image credit: Flickr.