It’s been almost two years since Home Depot said that 56 million consumers’ credit and debit cards, and email addresses, were exposed in a massive data breach. Now the home improvement giant has reached a $19.5 million deal to settle a class-action lawsuit and compensate data breach victims.
Under the settlement, which was filed with a federal court in Atlanta and is pending court approval, Home Depot will set up a $13 million fund to reimburse affected customers, Reuters reports.
The company also agreed to pay $6.5 million to fund 18 months of cardholder identity protection services for about 40 million people who had their card information stolen — and 52 to 53 million who had email addresses stolen. There is some overlap with these to categories.
“We wanted to put the litigation behind us, and this was the most expeditious path,” Home Depot spokesman Stephen Holmes said. “Customers were never responsible for any fraudulent charges.”
Home Depot did not admit to wrongdoing or liability in the settlement, Reuters reports. But Home Depot agreed to improve data security over a two-year period and hire a chief information security officer to oversee its progress. Home Depot has said the breach hit customers who used payment cards on its self-checkout terminals in U.S. and Canadian stores between April and September 2014.
The settlement, if approved, would resolve more than 50 proposed class-action lawsuits that were consolidated into one in Atlanta.