The Home Depot is going to pay a lot of money for its lax cybersecurity practices. The retailer agreed to settle a lawsuit brought by 47 states for $17.5 million dollars.

It all stems from a 2014 data breach where around 40 million consumers had their payment card information exposed.

Cybercriminals managed to get malware onto the company’s network that infected the registers at their self-service checkout. The malware stole the information from customers who used those lanes between April 10, 2014, and September 13, 2014.

In addition to the multi-million dollar settlement, the company also agreed to implement new security measures, including:

  • Hiring a Chief Information Security Officer
  • Training employees about proper cybersecurity and privacy practices
  • Apply strict security safeguards for logins, passwords, encryption, and requiring multi-factor authentication
  • Agreeing to security checkups to make sure they are following the new rules.

States participating in the settlement include:

States participating in this settlement include: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and Wisconsin.