Nearly two years after Home Depot said 56 million consumers’ credit and debit cards, as well as email addresses, were compromised in a massive data breach, the home improvement retailer has reached a $19.5 million deal to settle a class-action lawsuit and compensate those customers.
As part of the settlement, which was filed with a federal court in Atlanta and must still be approved by the court, Home Depot will set up a $13 million fund to reimburse affected shoppers for their out-of-pocket losses, Reuters reports.
The company also agreed to spend $6.5 million to fund 18 months worth of cardholder identity protection services for about 40 million people who had their card information stolen and 52 to 53 million who had email addresses stolen — there is expected to be some overlap between the groups.
While Home Depot didn’t admit to wrongdoing or liability in the settlement, Reuters reports that the company agreed to take steps to improve data security over a two-year period and hire a chief information security officer to oversee progress.
“We wanted to put the litigation behind us, and this was the most expeditious path,” Home Depot spokesman Stephen Holmes said. “Customers were never responsible for any fraudulent charges.”
Tuesday’s settlement, if approved, would resolve more than 50 proposed class-action lawsuits that were consolidated into one in Atlanta.
The lawsuits came after Home Depot announced in September 2014 that its in-store payment systems had been breached for many months.
Officials with Home Depot say the hackers accessed their systems with stolen credentials from a third-party vendor.
It’s believed that hackers then navigated Home Depot’s main computer network by exploiting a vulnerability in Microsoft’s operating system. From there the hackers were able operate as Home Depot employees with high-level permissions.
The hackers then targeted roughly 7,500 self-checkout machines at stores in the United States and Canada in order to deploy malicious software to steal the financial information.