On Wednesday, in one of the most high-profile data breach settlements to date, The Home Depot agreed to pay $25 million to settle a consolidated class action involving more than 60 nationwide financial institutions harmed by the retailer’s September 2014 data breach. That month, the home improvement giant announced that hackers had installed malware on Home Depot’s checkout kiosks and, over a five-month period, stolen credit card information of more than 56 million shoppers. Immediately thereafter, financial institutions filed more than 25 suits seeking compensation for reissuance fees and fraudulent transaction reimbursements, suits that were then consolidated before a federal court in Atlanta.
The agreement requires the retailer to establish a $25 million settlement fund to reimburse financial institutions for the reissuance of credit cards compromised by the data breach. The Home Depot has also agreed to a series of additional security measures, including implementing new safeguards developed through a risk exception process and enacting new vendor security programs.
Prior to Wednesday’s announcement, Home Depot had already spent more than $140 million to settle claims by many of the nation’s large credit card issuers – including MasterCard, Visa, American Express, and Discover – for damages sustained in this breach.