(Reuters) – Home Depot Inc, the largest U.S. home improvement retailer, on Tuesday reached a $17.5 million settlement to resolve a multistate probe into a 2014 data breach where hackers accessed payment card data belonging to 40 million customers.
The settlement with 46 U.S. states and Washington, D.C., stemmed from a breach between April 10, 2014, and Sept. 13, 2014, affecting customers who used self-checkout terminals at its U.S. and Canadian stores.
Hackers used a vendor’s user name and password to infiltrate Home Depot’s network, and deployed custom-built malware to access customers’ payment card information.
The Atlanta-based retailer previously said at least 52 million people also had their email addresses exposed, partially overlapping those whose payment card data was compromised.
Home Depot did not admit liability in agreeing to the settlement, which requires that it hire a chief information security officer, and upgrade its security procedures and training. The probe was led by Connecticut, Illinois and Texas.
Companies that collect sensitive personal information from customers “have an obligation to protect that information from unlawful use or disclosure,” Connecticut Attorney General William Tong said in a statement. “Home Depot failed to take those precautions.”
In a statement, Home Depot said security is a top priority, and that it has since 2014 “invested heavily to further secure our systems. We’re glad to put this matter behind us.”
Home Depot had previously recorded $198 million of pretax expenses for the breach, and resolved litigation by customers, card issuers and banks that claimed they were harmed.
(Reporting by Jonathan Stempel in New York Editing by David Evans and Matthew Lewis)