(CN) – Target agreed to pay consumers in 47 states $18.5 million to settle states’ claims stemming from a computer hack of its customers’ private financial information in 2013.
The Minnesota-based big-box retailer agreed to the dollar figure and other stipulations in what amounts to the largest multistate consumer payout in connection with a data breach.
“Companies across sectors should be taking their data security policies and procedures seriously,” said Connecticut Attorney General George Jepsen, who led the investigation along with Illinois AG Lisa Madigan. “Not doing so potentially exposes sensitive client and consumer information to hackers.”
Target released a statement saying they have been working with the states for several years and are pleased with the final result.
“We’re pleased to bring this issue to a resolution for everyone involved,” the company said.
The hack occurred between Nov. 27 and Dec. 15, 2013, and the company announced it four days later. Cybercriminals used credentials stolen from a third-party vendor to access Target’s gateway server.
From there, hackers gained entry into the company’s customer-service database, installed malware to capture data including full names, telephone numbers, email addresses, mailing addresses and complete financial data including CVV1 and encrypted PINs, according to an investigation conducted by Madigan and Jepsen.
The breach affected the credit card information of 41 million consumers and disclosed the personal information of about 61 million.
Along with the monetary payment spread throughout the 47 states and the District of Columbia, Target has agreed to implement a data-security system, hire a full-time executive to oversee the system and subject itself to independent audits to ensure the system’s continued functionality.
“People must remain vigilant about activity on their credit and debit cards as it’s not a matter of if but when you are going to be a victim of identity theft or a security breach,” Madigan said.
Target struggled in the immediate aftermath of the breach, with its CEO Gregg Steinhafel departing the company soon after and being replaced by Brian Cornell in 2014.
The company’s stock and earnings fell after the hack announcement as well.
Only Alabama, Wisconsin and Wyoming did not participate in the settlement.