Target Corp. will pay $18.5 million to settle claims related to the massive data breach that compromised 40 million customers’ credit and debit cards in 2013.
The retailer agreed on Tuesday (May 23) to settle up with the 47 states (plus the District of Columbia) that had filed against it after the breach, which Reuters categorized as “one of the biggest data breaches to hit a U.S. retailer.”
New York Attorney General Eric Schneiderman said the hackers had stolen access to credentials from a third-party vendor and used them to access Target’s gateway server where the credit card information was stored.
The breach affected shoppers who had visited Target’s brick-and-mortar stores (but not online shoppers) during the 2013 holiday season. The attack was carried out over the first three weeks of the holiday shopping period and was discovered just before three of the busiest days of the holiday season, adding insult to injury in a season that had already fallen short of revenue expectations.
Insiders said that the retailer was alerted by credit card processors that its system may have been compromised; it did not discover the attack on its own.
The company has now been ordered to employ an executive to oversee a comprehensive information security program and advise the CEO and board. The Minneapolis-based retailer must also hire a third-party contractor to conduct a security assessment and to encrypt card information so that, even if another breach occurred, the information would be rendered useless.
Financial institutions and states have gotten their slice of the settlement pie, with California receiving the largest share of any state at $1.4 million. Consumers, however, are still waiting on the outcome of an ongoing class action settlement. Target spokeswoman Jenna Reck said an agreement had been reached but not finalized.
The total cost of the data breach to Target has been $202 million, and shares dropped 0.6 percent after the settlement was announced.