Home Depot offers $19.5 million in breach settlement

The Home Depot Inc. has reached a tentative settlement of consumer claims regarding a 2014 data breach that may have exposed personal and financial information of more than 50 million consumers.



Home Depot agreed to pay $13 million to reimburse affected consumers for out-of-pocket expenses and spend at least $6.5 million to offer 18 months of identity protection services for holders of cards that may have been exposed. The retailer also agreed to improve its data security and to hire a chief information security officer.



Any other legal fees or other costs for consumers will be paid separately. Home Depot previously estimated it has spent $152 million pre-tax expenses related to the breach, including expected insurance reimbursements. The breach occurred between April and September 2014 and exposed payment card data of 40 million consumers and email information of more than 50 million consumers, with some consumers having both types of data exposed.



As happened in the 2013 Target breach, the Home Depot’s network was penetrated by criminals who misused credentials of a third-party vendor to gain access and install malware.



Home Depot admits no wrongdoing in the settlement, which must be approved by a federal judge in Atlanta. The settlement covers a consolidation of at least 57 consumer class action suits filed in the U.S. and Canada.