Target settles
Naked Security Naked Security

Target agrees to pay $10 million to settle data breach lawsuit

Target has proposed a huge $10 million settlement for victims of its 2013 data breach in which at least 70 million records were compromised.

Target, courest of ShutterstockUS retailing giant Target has proposed a settlement worth $10 million (about £6.7 million) in respect of a class-action lawsuit related to the massive data breach it experienced in 2013.

The data breach happened between Black Friday and Christmas that year and saw the theft of around 40 million credit and debit card accounts, as well as a further 70 million customer records containing information that included customer names, addresses, phone numbers and email addresses.

The Target breach timeline

The breach, which originated through an HVAC company (heating, ventilation and air conditioning), remains one of the largest ever in US corporate history and the company is still reeling from the fallout.

First, there was the admission that Target had malware on its POS (point-of-sale) registers, then there was the revelation that at least one analyst, just months before the breach, had pushed for a security review to take place.

We also heard how multiple alerts from Target’s own IT security system were ignored – even as credit card data was being swiped – and how the company’s Chief Information Officer, Beth Jacob, fell on her sword in the aftermath.

As the clean-up continued, the retailer adopted chip-and-pin technology, and saw its CEO resign.

The company also reported losses of $148 million in respect of the breach and, at the end of last year, it learned that a judge had given banks the go ahead to sue for negligence.

$10 million in Escrow for victims of the breach

Now, according to CBS News, the company has agreed to put $10 million into an Escrow account from which victims of the breach, who can prove they suffered harm as a result, can ultimately claim some cash to help alleviate the pain of having their data swiped.

Under the terms of the proposed settlement, Target customers who can provide “reasonable documentation showing their losses more likely than not arose from the Target data breach (for example, a credit card statement, invoice or receipt)” will get the first shot at some of the $10 million. They will also be eligible to receive reimbursement for unauthorised credit card charges, bank fees or costs related to replacement IDs.

After those claims are paid, any remaining settlement funds will be evenly distributed to class members who do not have the necessary documentation.

Under the terms of the settlement, drafted on 9 March but only filed in court on Wednesday, claimants will have to make an application for compensation online using a digital version of a form published by KSTP, and will be able to walk away with up to $10,000 each.

A US federal court judge will have to rubber stamp the offer before it comes into force but Target spokesperson Molly Snyder said:

We are pleased to see the process moving forward and look forward to its resolution.

The proposal will also require Target to maintain a written information security program, appoint a Chief Information Security Officer (CISO) and provide security training to its employees.

According to CBS, the proposed settlement could be heard in a court room in St. Paul, Minnesota, as early as today.

Previously, Target had offered one year of free credit monitoring and identity theft protection to all of its US store customers.


Image of Target courtesy of Rob Wilson / Shutterstock.com

.