Home Depot will pay at least another $19.5 million in compensation to customers affected by its massive 2014 data breach, as part of a $161m pot of pre-tax expenses it has set aside, according to new court documents.
The papers filed with a federal court in the firm’s home city of Atlanta disclose the terms of a preliminary settlement with Home Depot customers which has yet to be approved by the court, according to Reuters.
They apparently detail an agreement to pay $13m to reimburse any customers who have incurred losses as a result of the breach and at least $6.5m to pay for card identity protection services.
Although the firm is said to have admitted no wrongdoing or liability in agreeing to the pay out, it has set aside a whopping $161m in pre-tax expenses to deal with the fallout of the breach, not including insurance proceeds.
The report claimed legal fees alone could top $8.7m.
The home improvement giant, a household name in the US, has apparently also agreed to hire a CISO to oversee a two-year improvement program designed to raise the standard of data security at the firm.
"We wanted to put the litigation behind us, and this was the most expeditious path," spokesman Stephen Holmes said. "Customers were never responsible for any fraudulent charges.”
The huge sums involved once again highlight the financial fallout that can follow a major data breach.
It is thought around 40 million customers had their financial details stolen in the 2014 breach and 52 million had email addresses taken, with some overlap between the two.
The firm claimed cyber-criminals used a third party vendor’s username and password to get into the firm’s network, before elevating privileges and deploying POS malware on self-checkout systems to scoop up the financial data.
Despite setting aside $161m for expenses following the incident, it’s unclear how many customers the retail giant has lost as a result of the breach – the so-called reputation damage which is almost impossible to quantify but can be far longer lasting.
A study by HyTrust in 2014 claimed 51% of consumers would take their business elsewhere following a breach.