Home Depot officials have agreed to a $17.5 million settlement for a 2014 data breach that exposed the information of 40 million customers.

The home improvement company reached the agreement with the attorney generals of 46 states and the District of Columbia. The settlement stems from a 2014 data breach where hackers were able to access the Home Depot’s self-checkout point-of-sale (POS) systems through a third-party vendor’s credentials. The cybercriminals installed malware and collected customers’ payment card information from April through September of that year. About 40 million U.S. customers had their payment information stolen in the breach.

The harvested personal information can be used for fraudulent purchases, the cloning of payment cards and identity theft.

Along with the $17.5 million payout, Home Depot officials have agreed to hire a chief information security officer to enhance the company’s cybersecurity. Other security measures included in the agreement include the company providing security awareness training, two-factor authentication and other improvements.

The Home Depot data breach occurred about a year after a similar malware attack on POS systems at retailer Target. In the Target data breach, more than 100 million credit card and other personal information was stolen. Target officials settled that data breach with attorney generals in 46 states for $18.5 million.

The Target agreement also stipulated the company hire an information security officer and implement an information security program.