Home Depot has agreed to pay $19.5 million to compensate the 56 million customers affected by its huge 2014 data breach.
Company bosses said they are planning to set up a $13 million reimbursement fund for shoppers whose card details were stolen during the breach. Meanwhile, a further $6.5 million has been earmarked to bolster protection services for future customers.
Home Depot’s attempts to make amends for the major data breach were revealed on Monday, after terms of the preliminary settlement were filed with a federal judge in Atlanta.
Although company bosses still deny that Home Depot was ever guilty of any wrongdoing, the monetary settlement has also been accompanied by a gaggle of corporate governance improvements designed to win back consumer confidence.
The home improvement retailer has committed to a two-year data security improvement plan, and will be hiring a chief information security officer to help prevent further data scares.
Home Depot has also promised that it will compensate affected consumers for their legal fees and related costs associated with the settlement. Consumers who submit claims will be able to “self-certify” time they spent dealing with issues relating to the breach at $15-per-hour for up to two hours.
“We’re working to put the litigation behind us and this was the most expeditious path, but it’s not an admission of liability,” company spokesman Stephen Holmes said. “Keep in mind that customers were not responsible for fraudulent charges and they’ve been our primary focus throughout.”
It’s little wonder the company wants the dust to settle surrounding its big data scare. The 2014 theft is considered one of the largest retail data heists in history.
Between April and September of 2014, cyber criminals used their own, custom-built malware to infiltrate Home Depot’s data network. The hackers used stolen credentials to gain access to the company network, and then proceeded to install malware on self-checkout machines across the U.S. and Canada.
Company bosses had only recently approved a new payment security plan designed to lock down payment data through enhanced encryption – scrambling credit card details and making them virtually useless to hackers. Yet the improvement project had only just started rolling out across the country when the hackers struck.
According to this week’s court filing, the credit card details of at least 40 million customers were stolen before Home Depot figured out what was going on. Around 56 million customers had their email addresses or other personal details taken during the breach.
Home Depot’s settlement offer will need to be approved by a federal judge before it is set in stone. At least 57 class action lawsuits had been filed against the company in the U.S. and Canada before they were consolidated into a single lawsuit in Atlanta.
Legal fees and associated costs on both sides of the case are expected to reach $8.7 million, and Home Depot has already reportedly spent $161 million on the breach.
Despite the scale of Home Depot’s 2014 catastrophe, plenty of other retailers have fallen victim to cybercrime in recent years.
Michaels, Neiman Marcus, and P.F. Chang’s have all fallen victim to similar attacks – and last year, Target agreed to a $10 million settlement after the credit card details of 40 million customers were exposed in a 2013 attack.
Although the burden of data security largely rests with major retailers, government officials have recently joined the fight to improve conditions for American consumers, too.
Last month, President Barack Obama unveiled plans to spend $19 billion on a wide range of projects designed to assist companies in protecting the personal details of customers. The proposal represents a 35 percent spending increase year-over-year.
[Photo by Tim Boyle/Getty Images]