Target to pay $18.5M to settle hacking probe

Industries Dow Jones Newswires

The sign outside the Target store is seen in Arvada, Colorado (Copyright Reuters 2016)

Target on Tuesday agreed to pay $18.5 million to resolve an investigation by state prosecutors into its massive 2013 hack, a deal that represents the largest multistate data breach settlement in history. 

Continue Reading Below

The investigation, led by the attorney generals in Connecticut and Illinois, focused on allegations that more than 40 million customers had their credit or debit card information compromised in 2013 after Target failed to provide reasonable data security. 

The money will go to 47 states and the District of Columbia, with California receiving the largest share of more than $1.4 million. 

"Millions of consumers...across the country were impacted by this data breach and by what we believe, through our multistate investigation, were Target's inadequate data security protocols," said George Jepsen, Connecticut's attorney general. 

A spokeswoman for Target said the company is "pleased to bring this issue to a resolution." Target has been working with states for several years to address claims from the 2013 breach, and the costs with this settlement are already reflected in reserves that the company has previously disclosed, the spokeswoman said. 

The investigation by state prosecutors found that hackers accessed Target's server in November 2013 through credentials stolen from a third-party vendor. The attackers used the credentials to access a customer-service database and installed malware that captured consumers' personal data, including credit card numbers. 

Continue Reading Below

Tuesday's settlement requires Target to hire an executive to oversee an information security program and an independent third party to conduct a comprehensive security assessment. 

Target also agreed to separate its cardholder data from the rest of its computer network and to take other steps, including implementing password rotation policies and two-factor authentication. 

Four years after the hack, Target's breach still ranks among the most high-profile cyberintrusion incidents at a publicly traded company. The theft took a heavy toll on the retailer's reputation with shoppers, cut into sales and led to the ouster of the company's chief executive. 

It was followed by a string of similar breaches at other well-known merchants, including Home Depot, luxury retailer Neiman Marcus Group and Asian restaurant chain P.F. Chang's China Bistro. 

Experts often point to the Target breach as a turning point that alerted American corporations to the idea that managing cybersecurity should be a priority for the C-suite, not only for the IT department. 

After the breach, Target faced dozens of lawsuits, as well as federal and state investigations into how the company responded to the attack. In 2015, it agreed to pay out millions in settlements to reimburse financial institutions for costs incurred from the breach. 

The settlement is unlikely to leave Target vulnerable to more private lawsuits, legal experts said. In general, consumers have had trouble extracting big payouts after data breaches. Many data-theft lawsuits have been dismissed after judges found customers couldn't prove they suffered an actual harm from the theft of their personal information. 

Khadeeja Safdar contributed to this article. 

Write to Nicole Hong at nicole.hong@wsj.com