Target has agreed to pay $18.5 million to settle a multi-state investigation into its colossal data breach in 2013 that affected 70 million shoppers, authorities announced Tuesday.
New York State will receive more than $635,000 from the settlement – the largest -ever multi-state data breach settlement , which includes 46 other states and Washington, D.C., according to Attorney General Eric Schneiderman.
The popular discount chain admitted in 2014 that the names, home addresses, phone numbers and e-mail address of 70 million customers were stolen by cyber-criminals over the holiday season. At least 40 million credit cards were compromised.
The attack affected 1.9 million customer accounts in New York alone and 1,800 Target stores nationwide, authorities said.
The probe, which was led by a ttorney s g eneral in Connecticut and Illinois, found that cyber attackers accessed Target’s gateway server through stolen credentials in November 2013. They then installed malware in the company’s customer service database, allowing them to siphon the personal information, as well as credit card data.
The settlement also requires Target to maintain encryption policies to protect cardholder and personal information and separage cardholder data from the rest of its computer network.
“New Yorkers need to know that when they shop, their data will be protected,” Schneiderman said in a statement. “This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward.”
The settlement cash will be kept by the state and not passed onto consumers.
In 2015, Target agreed to pay $39.4 million to settle class-action lawsuits filed by banks and credit unions over the data breach. The company said at the time that it spent $290 million related to the breach.
Also that year, the company agreed to a $10 million payment to settle class-action claims brought by customers.
Following the breach, Target paid for one year of free credit monitoring for potential victims in New York.
Alabama, Wyoming and Wisconsin were not part of the multi-state settlement.