American home improvement retailer Home Depot has agreed to a $17.5 million settlement to put an end to a state investigation into a data breach in 2014. More than 40 million customers were affected.
The amount Home Depot has agreed to pay will be divided amongst the 46 U.S. states that filed the case. The breach, caused by a still-unidentified group of hackers that got access to payment card data, occurred between April and September 2014.
According to investigators, hackers had used a Home Depot employee's username and password to access Home Depot's network. They then proceeded to install custom-built malware to gather millions of customer payment card information. Further investigation in the matter found that customers' email addresses were also compromised.
Home Depot denied any liability stemming from the hack and said that the settlement was not an admission. Under the settlement agreement, Home Depot will be required to hire a chief information officer. The company also agreed to enhance security procedures and provide training to its employees on how to better secure their access information.
Connecticut Attorney General William Tong mentioned in a statement following the settlement that all companies are obligated to protect the information and data of their customers. He added that Home Depot clearly failed to fulfill its obligations by not taking the necessary precautions.
Home Depot said that since the 2014 breach, it has already invested heavily in improving its network security systems. The company assured customers that data security is one of its top priorities.
Apart from the probe launched by the U.S. states, Home Depot also faced several lawsuits filed by customers, banks, and card issuers following the breach. The company has since resolved most of the litigation against it through in-court and out-of-court settlements. In its latest earnings report, Home Depot said that it had recorded around $198 million in pretax expenses related to the data breach.