Home Depot has reached an agreement to pay $25 million to banks and credit unions to settle a lawsuit over the retailer’s 2014 data breach.
The lawsuit and settlement represent the consolidation of over 25 class actions against Home Depot by 50 financial institutions. The banks claimed that lax security practices led to Home Depot’s breach of information from an estimated 56 million payment cards.
“Investigation revealed hackers placed malware on Home Depot’s self-checkout kiosks in stores across the country, allowing them to steal customers’ personal financial information, including names, payment card numbers, expiration dates, and security codes,” noted the US District Court for the Northern District of Georgia in its discussion of the settlement, which still requires final approval.
“The stolen information was then sold over the Internet to thieves who made massive numbers of fraudulent transactions using the payment cards that financial institutions had issued to Home Depot’s customers,” the court said. “Financial institutions were forced to cancel and reissue the compromised payment cards to mitigate the damage, reimburse their customers for fraudulent transactions, and otherwise incur substantial out of pocket expenses in responding to the data breach.”
The settlement includes assurances that in addition to paying $25 million into a fund for financial institutions, Home Depot will also make security updates to prevent breaches in the future.