Home Depot will pay at least $19.5m in compensation to the 50 million customers hit by hackers who infiltrated the chain's sales tills in 2014.
The US home improvement warehouse will create a $13m fund to reimburse shoppers and spend a further $6.5m providing a year's worth of identity protection for those impacted.
Those are the terms of an agreement disclosed in federal court in its home town of Atlanta, Georgia, on Thursday, the result of combining no fewer than 57 class action lawsuits in the US and Canada.
The company admitted in September 2014 it was hacked, after it emerged its payment systems had been infected by a variant of the BlackPOS (point-of-sale) malware. This software nasty installs itself on cash registers and sends copies of every swiped card to fraudsters.
That malware had earlier slurped 40 million credit card details from retailer Target (which resulted in a $10m settlement). Home Depot later revealed that 56 million cards had been compromised.
The company was accused of having ignored warnings from its security staff that its anti-virus software had not been updated for over seven years, and it was discovered that ineffective password security had allowed hackers to plant information-stealing malware on sales terminals. It was also revealed that an equal number of email addresses had been compromised.
Despite all that, Home Depot's proposed agreement – it still needs to be authorized by the court – does not admit any wrongdoing and it would not accept any liability going forward.
The company will also hire an information security chief to improve its data security. The big winners were, as ever, the lawyers, who pocketed $8.7m in fees. ®