The retailer will set up a USD 13 million fund to reimburse shoppers for out-of-pocket losses, and spend at least USD 6.5 million to fund 1-1/2 years of cardholder identity protection services.
Home Depot also agreed to boost data security over a two-year period, and hire a chief information security officer to oversee its progress. It will separately pay legal fees and related costs for affected consumers.
Home Depot did not admit wrongdoing or liability in agreeing to settle. The settlement requires court approval.Home Depot has said the breach affected people who used payment cards on its self-checkout terminals in US and Canadian stores between April and September 2014.
It has said the intruder used a vendor’s user name and password to infiltrate its computer network, and used custom-built malware to access shoppers’ payment card information.
The accord covers about 40 million people who had payment card data stolen, and 52 million to 53 million people who had email addresses stolen, with some overlap between the groups.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now