Target will pay $18.5 million in settlement with states over 2013 data breach

Target Corp. will pay $18.5 million to 47 states, including California, and the District of Columbia as part of a settlement over a 2013 data breach that compromised tens of millions of customers’ credit and debit card information.

California will receive more than $1.4 million from the settlement, the largest amount of any state, according to California Atty. Gen. Xavier Becerra. His office said that money would be used toward enforcing consumer protection laws.

“Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security,” Becerra said in a statement. “This should send a strong message to other companies: You are responsible for protecting your customers’ personal information.”


Alabama, Wisconsin and Wyoming were not part of the settlement announced Tuesday.

As part of the settlement, the Minneapolis-based retailer will also be required to employ an executive to manage a “comprehensive information security program” and advise the company’s chief executive and its board of directors, according to the statement from Becerra’s office.

Target must hire an independent third party to do a comprehensive security assessment, according to a statement from the New York attorney general’s office. It has to add other cybersecurity measures, including encrypting payment card information so the data are useless if stolen, separating its cardholder data from the rest of its computer network and instituting password rotation policies and two-factor authentication for certain accounts.

Target said it was “pleased to bring this issue to a resolution for everyone involved.” The retailer added that the costs associated with this settlement were “already reflected in the data breach liability reserves that Target has previously recognized and disclosed.”

The 2013 data breach led to the resignation of longtime Target CEO Gregg Steinhafel. It also hurt the company’s sales and profits.

Target has since overhauled its security systems and settled other lawsuits related to the breach, including one from credit card company Visa Inc. A $10-million settlement for a class-action lawsuit brought by consumers is still going through the court system, though it received approval from a federal judge in 2015.

Target shares fell 1.7% on Tuesday to $54.49.

Twitter: @smasunaga


Google starts tracking your offline shopping — what you buy at stores in person

Three reasons why Fox News is losing its ratings dominance

Google’s artificial intelligence machine AlphaGo just beat the world’s No. 1 Go player


3 p.m.: This article was updated with Target’s stock movement.

10:20 a.m.: This article was updated with information about a class-action lawsuit.

9:30 a.m.: This article was updated with information about additional cybersecurity measures Target will be required to adopt as part of the settlement, and with the names of the states that were not part of the settlement.

8:40 a.m.: This article was updated with a comment from Target.

This article was originally published at 8:30 a.m.