Home Depot, the retailer hit by a cyber attack in 2014 has agreed to pay a further $27.25 million to affected financial institutions.
A “fixed payment award” of about $2 per compromised payment card will be paid to Banks that file valid claims will get without having to prove their losses, even if they have received compensation from another source.
Jim Nussle, chief executive of the Credit Union National Association, said in a news release: “Credit unions and their members have unfortunately borne the brunt of lax merchant data security standards, this settlement would be a step toward making them whole again.”
In September 2014, Home Depot disclosed that hackers had stolen payment card data from customers who made purchases at self-checkout terminals between April 10, 2014, and Sept. 13, 2014. A separate file of customer email addresses was also stolen.
In addition to this class action settlement, Home Depot has already paid at least $134.5 million in compensation to consortia made up of Visa, MasterCard, and various banks. Consumers last year received a $19 million settlement that included a $13 million cash fund as well as $6 million in credit monitoring services.
For Home Depot, the cost of the breach is at least $179 million, according to court documents. “The final total, though, is likely to be much higher because of legal fees and any other undisclosed payouts,” Fortune said.
As part of the latest settlement, Home Depot also agreed to implement a range of wide ranging controls including tracking and managing data security risk assessments using a risk-exception process, performing reviews of service providers and vendors that have access to payment card information, and creating a security-control framework.