Home Depot has reached a $17.5 million settlement with the attorney generals of 46 states and the District of Columbia over a 2014 data breach that exposed the payment card information of some 40 million customers.
The Massachusetts Attorney General’s office detailed the settlement in a statement Tuesday, saying Home Depot agreed under its terms to employ a full-time chief information security officer among other measures.
Cybercriminals hacked into Home Depot’s self-checkout point-of-sale systems using a third-party vendor’s username and password and installed malware that harvested the customer data from April through September 2014.
“Retailers must take meaningful steps to protect consumers’ credit and debit card information from theft when they shop,” said Massachusetts AG Maura Healey. “This settlement ensures Home Depot complies with our state’s strong data security law and requires the company to take steps to protect consumer information from illegal use or disclosure.”