Home Depot settles suit on card-data breach for $20 million, security pledges

The DIY retail chain was hacked and cybercriminals got away with the details of 56 million payment cards — then they got sued by the banks. Now they've settled.
(Mike Mozart / Flickr)

Home Depot, the hardware retail giant that was robbed of the payment card details of 40 million customers in 2014, has settled a class action consumer lawsuit, agreeing to pay $13 million in cash compensation, spend $6.5 million on ID theft protection and adopt a series of measures to tighten its security.

According to settlement papers filed this week and approved by a federal judge Wednesday, customers who had their personal or financial information compromised and registered last year to be part of the class can get reimbursed for losses from the massive data breach of up to $10,000 each.

The restitution covers: any still-unreimbursed fraudulent charges on cards with stolen data; the costs and expense of identity theft or fraud; any losses losses caused by restricted access to funds like the costs of taking out a loan, or ATM withdrawal fees; and preventative costs against ID fraud like buying credit monitoring.

Home Depot also agreed to pay $15 an hour for up to five hours of time consumers could document as being spent addressing the fallout from the breach.


Those payments will come out of a $13 million fund that Home Depot will establish and KCC Class Action Services will administer.

The retailer also agreed to spend $6.5 million providing free enrollment for 18 months with Identity Guard ID monitoring services to anyone whose personal or financial information was compromised.

Finally, the company agreed to a adopt for at least two years series of business practices designed to shore up the security of its IT networks and the way it handles payment card information.

The measures include “maintaining” a CISO (the company already has one); “routine risk assessments” to find possible flaws in security; a vendor security program (the breach involved a hacked vendor credential); an education and training program on data security and privacy for staff; and the broad use of encryption and minimal-retention standards for payment card data.

“We wanted to put the litigation behind us, and this was the most expeditious path,” company spokesman Stephen Holmes said in a statement. “It’s important to remember that customers were never responsible for any fraudulent charges.”

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts