Target Corp on Tuesday agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into the retailer’s massive data breach in late 2013.
The investigation — led by the Attorneys General of Connecticut and Illinois — found that cyber attackers had accessed Target’s gateway server through credentials stolen from a third-party vendor, New York Attorney General Eric Schneiderman said in a statement on Tuesday.
In one of the biggest data breaches to hit a U.S. retailer, Target had reported that hackers stole data from up to 40 million credit and debit cards of shoppers who had visited its stores during the 2013 holiday season.
California will receive more than $1.4 million from the settlement, the largest share of any state, California Attorney General Xavier Becerra said.
The costs associated with the settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed, the company said in a statement.
Target also said the total cost of the data breach had been $202 million.
Target spokeswoman Jenna Reck said the company has so far settled with financial institutions and states but is yet to finalize a consumer settlement. “There is a class action settlement that is outstanding. We have reached an agreement but it hasn’t been legally finalized yet.”
As part of the settlement announced on Tuesday, Target is required to adopt advanced measures to secure customer information such as employing an executive to oversee a comprehensive information security program as well as advise its chief executive and board.
The company is also required to hire a independent, qualified third party to conduct a comprehensive security assessment and encrypt or otherwise protect card information to make it useless if stolen.
The Minneapolis-based retailer’s shares were down 0.6 percent at $55.13 in afternoon trade.
(Reporting by Sruthi Ramakrishnan, Nandita Bose; Editing by Anil D’Silva, Bernard Orr)