The home improvement retailer will set up a $13 million fund to reimburse shoppers for out-of-pocket losses, and spend at least $6.5 million to fund 1-1/2 years of cardholder identity protection services.
Spread the Word
Home Depot also agreed to improve data security over a two-year period, and hire a chief information security officer to oversee its progress.
It will separately pay legal fees and related costs for affected consumers.
Terms of the preliminary settlement were disclosed in papers filed on Monday with the federal court in Atlanta, where Home Depot is based.
Home Depot did not admit wrongdoing or liability in agreeing to settle. The settlement requires court approval.
"We wanted to put the litigation behind us, and this was the most expeditious path," spokesman Stephen Holmes said. "Customers were never responsible for any fraudulent charges."
Home Depot has said the breach affected people who used payment cards on its self-checkout terminals in U.S. and Canadian stores between April and September 2014.
It has said the intruder used a vendor's user name and password to infiltrate its computer network, and used custom-built malware to access shoppers' payment card information.
The accord covers about 40 million people who had payment card data stolen, and 52 million to 53 million people who had email addresses stolen, with some overlap between the groups.
Home Depot said it has booked $161 million of pre-tax expenses for the breach, including for the consumer settlement, and after accounting for expected insurance proceeds.
Lawyers for the consumers said the accord compares "favorably" with other data breach class actions, including Target Corp's $10 million settlement over a 2013 data breach that compromised at least 40 million cards.
Legal fees and costs for the lawyers could top $8.7 million, court papers showed.
At least 57 proposed class action lawsuits were filed in U.S. and Canadian courts over the data breach. The U.S. cases were consolidated in the Atlanta court.
The case is In re: Home Depot Inc Customer Data Security Breach Litigation, U.S. District Court, Northern District of Georgia, No. 14-md-02583.
RELATED: Other notable data breaches
Notable Data Breaches
Home Depot settles consumer lawsuit over big 2014 data breach
The Homeland Security Department headquarters in northwest Washington, Friday, June 5, 2015. China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time. The Department of Homeland Security said in a statement that data from the Office of Personnel Management _ the human resources department for the federal government _ and the Interior Department had been compromised. (AP Photo/Susan Walsh)
LONDON, ENGLAND - AUGUST 19: A detail of the Ashley Madison website on August 19, 2015 in London, England. Hackers who stole customer information from the cheating site AshleyMadison.com dumped 9.7 gigabytes of data to the dark web on Tuesday fulfilling a threat to release sensitive information including account details, log-ins and credit card details, if Avid Life Media, the owner of the website didn't take Ashley Madison.com offline permanently. (Photo by Carl Court/Getty Images)
FILE - In this Feb. 5, 2015 file photo, the Anthem logo hangs at the health insurer's corporate headquarters in Indianapolis. Insurers aren't required to encrypt consumers' data under a 1990s federal law that remains the foundation for health care privacy in the Internet age _ a striking omission in light of the cyberattack against Anthem, the nation's second-largest health insurer. (AP Photo/Michael Conroy, File)
Sony Pictures Entertainment headquarters in Culver City, Calif. on Tuesday, Dec. 2, 2014. The FBI has confirmed it is investigating a recent hacking attack at Sony Pictures Entertainment, which caused major internal computer problems at the film studio last week. (AP Photo/Nick Ut)
FILE - In this file photo made Oct. 6, 2009, employee John Abou Nasr pushes shopping carts in the parking lot of a Home Depot in Methuen, Mass. Home Depot's data breach could wind up being among the largest ever for a retailer, but that may not matter to its millions of customers. (AP Photo/Elise Amendola, File)
Shoppers arrive at a Target store in Los Angeles on Thursday, Dec. 19, 2013. Target says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear. (AP Photo/Damian Dovarganes)
Graphic shows details of recent notable data breaches by organization; 3c x 7 inches; 146 mm x 177 mm;