Home Depot will establish a $13 million fund to compensate US customers affected by a 2014 data breach. The retailer will spend another $6.5 million to fund identity protection services for the credit and debit cardholders harmed by the breach. According to Reuters, the settlement covers about 40 million people who had payment card data and email addresses stolen. Additionally, the retailer will cover legal fees for victims of identity theft and other crimes which resulted from the breach.

Back in 2014, cyberthieves broke into Home Depot’s payment systems using credentials from a third party vendor. They exploited an unpatched vulnerability in Windows to access the retailer’s payment card system and deployed custom malware to collect customer payment card and email address information. The attack remained undetected for about five months.

While stolen email addresses do not seem to warrant the same diligence as stolen card information, such data falling into the wrong hands poses its own unique risks. In particular, custom phishing attacks could be used to target the Home Depot customers. A phishing attack is an attempt to acquire sensitive information such as passwords or payment card details by posing as a trustworthy entity such as a bank or retailer in electronic communication. Since the cybercriminals involved in this case know the email addresses belong to Home Depot customers, they can use this information against them. For example, they could launch a phishing campaign claiming to be from Home Depot, using Home Depot branding to trick unsuspecting users into sharing information.

Over 50 class action lawsuits were filed in the US and Canada as a result of Home Depot’s data breach. The settlement in question settles the consolidated US cases. Large settlements resulting from a data breach are becoming increasingly common. In April of last year, AT&T agreed to pay $25 million to settle an investigation into three major data breaches by the FCC.