Home improvement retailer Home Depot has agreed to pay some $19.5 million to U.S. customers affected by a 2014 data breach that compromised more than 50 million credit cards, according to court papers filed Monday and reported by Reuters.
Home Depot will establish a $13 million fund that will finance reimbursement of out-of-pocket expenses related to the event, plus another $6.5 million dedicated to paying for identity-protection services.
The settlement, which awaits approval from the federal court in Atlanta, caps nearly two years of litigation during which Home Depot sought to quash the suits, saying customers couldn’t show harm. The settlement entails no admittance of liability or wrongdoing by the retailer.
In the fall of 2014, Home Depot was criticized for its handling of the data breach—not revealing it until cyber-security journalist Brian Krebs wrote about it—as well as the massive scope of the incident. Two years of litigation sounds painful, but this is a nice outcome for Home Depot. The lawsuits brought against the company were never certified as class actions, which would likely have meant more money and more attention. This way, the retailer contains the fallout fairly neatly.
"We wanted to put the litigation behind us, and this was the most expeditious path," Stephen Holmes, a spokesperson for Home Depot, told Reuters. "Customers were never responsible for any fraudulent charges."
According to Reuters, the lawyers representing Home Depot consumers were also pleased with Monday’s outcome. The accord covers about 40 million people who had payment card data stolen, and 52 million to 53 million people who had email addresses stolen, with some overlap between the groups.
Cybercrime is now the second most reported economic crime behind only asset misappropriation, and has impacted at least a third of all organizations over the last two years, a recent PricewaterhouseCoopers report found. PwC's Global Economic Crime Survey also reveals that only 37% of businesses have implemented cyber incident response plans, despite 61% of CEOs surveyed saying they were concerned about cybersecurity.