Target Corp. on Tuesday said it has reached an $18.5 million settlement with 47 states the over the 2013 data breach that exposed payment data of more than 41 million of its customers and contact information for 60 million shoppers.
The agreement represents the largest multistate data breach settlement achieved to date, according to New York Attorney General Eric T. Schneiderman.
The states' investigation — led by the Attorneys General of Connecticut and Illinois — found that in November of 2013, hackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database and to install malware on the system that was used to capture consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs.
Target announced the breach in December of that year. The event forced Target to overhaul its data security and was said to be a factor in the departure of then-CEO Gregg Steinhafel, who resigned in May of 2014.
In addition to the monetary payment to the states, the settlement agreement requires Target to develop maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third party to conduct a comprehensive security assessment.
Consumers will get no proceeds from the settlement announced Wednesday, although Target is reportedly in the process of a $10 million settlement in a consumer class-action lawsuit connected to the breach. The retailer separately paid out $39.4 million in 2015 to banks and credit unions affected by the breach.