The Home Depot has agreed to pay more than $19 million to settle a massive lass-action lawsuit stemming from its 2014 data breach, one of the larger incidents in United States history.
The settlement brings to a close what has been a long and ugly tale. The data breach came to light in late 2014 when the company revealed that it had discovered a widespread compromise at stores in Canada and the U.S. resulting from malware being planted on self-checkout terminals. The malware was able to record payment card numbers, and Home Depot officials said that its investigation showed that the malware was unique at the time.
“Criminals used unique, custom-built malware to evade detection. The malware had not been seen previously in other attacks, according to Home Depot’s security partners,” the company said in a statement at the time. “The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards. ”
That kind of payment-terminal malware also was responsible for the Target data breach, which affected more than twice as many customers as the Home Depot incident. Target paid $10 million to settle suits related to that breach, and while Home Depot will pay about $19.5 million to settle its suit, that is only a fraction of what the actual costs are.
Home Depot has said that the breach has cost the company $161 million in charges since it occurred. Most of the $19.5 million settlement will go into a fund for consumers affected by the breach, and the company also agreed to set up a better security program and hire a CISO.
“We wanted to put the litigation behind us, and this was the most expeditious path,” spokesman Stephen Holmes told Reuters. “Customers were never responsible for any fraudulent charges.”
The Home Depot settlement comes just after the FTC sent an order to nine PCI DSS auditors asking, in part, how many of their clients had suffered a data breach the year after they’d been declared compliant in an audit.
Image from Flickr stream of Nicholas Eckhart.