Home Depot offers $19M to settle customers' hacking lawsuit

The 2014 hack of the home-improvement retailer's payment systems exposed more than 50 million credit card accounts.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

More than 50 million Home Depot customers' credit cards were exposed to theft in a massive hack in 2014.

Home Depot says it's willing to pay as much as $19.5 million to settle a class-action lawsuit brought by shoppers affected by a massive security breach that exposed credit card information belonging to 56 million customers.

The home-improvement retailer's offer includes the creation of a $13 million fund that would compensate customers for out-of-pocket expenses such as reasonably traceable fraud. The remaining money would go toward legal fees and associated expenses. Atlanta-based Home Depot also promised Tuesday to adopt new data security measures to protect its customers' personal and financial information.

Home Depot said its settlement offer, which still requires court approval, was not an admission of liability in the matter.

"We're working to put the litigation behind us, and this was the most expeditious path," said Stephen Holmes, a Home Depot spokesman.

The settlement offer does not cover other pending lawsuits from financial institutions such as banks and credit card companies.

In one of the largest data breaches ever, hackers used custom-built malware to steal the credit card information of 56 million Home Depot customers between April and September 2014. Using credentials stolen from a third-party vendor, hackers worked their way through Home Depot's network to insert the malware on the retailer's self-checkout machines in the US and Canada, where the credit card information was exposed.

The breach occurred at a time when hacks on businesses and government agencies were running rampant. There were more than 1,500 data breaches worldwide in 2014, up nearly 50 percent from 2013.

The hack into Home Depot was similar to a security breach at retail giant Target in 2013 that exposed the credit card data of 40 million Target customers and the personal information of an additional 70 million customers. In that case, Target offered $10 million to settle the resulting class-action lawsuit.

In the months that followed, arts and crafts retail chain Michaels Stores, department store Neiman Marcus, and restaurant chain P.F. Chang's all revealed they had fallen victim to security breaches aimed at stealing customers' credit card information.

In response to that uptick, the Obama administration last month proposed spending $19 billion on a broad range of initiatives designed to make it harder for hackers to steal information from individuals, companies and government agencies, a 35 percent increase over the previous year's budget.