NEW YORK (CBS/AP) — Target Corp. has reached an $18.5 million settlement over a massive data breach that occurred before Christmas in 2013, New York’s attorney general announced Tuesday.
The agreement involving 47 states and the District of Columbia is the largest multistate data breach settlement to date, Attorney General Eric T. Schneiderman’s office said. The settlement, which stipulates some security measures the retailer must adhere to, resolves the states’ probe into the breach.
Target spokeswoman Jenna Reck said in a statement that the company has been working with state authorities for several years to address claims related to the breach.
“We’re pleased to bring this issue to a resolution for everyone involved,” she said.
Massachusetts is set to get $625,000 in the settlement.
“Consumers should be able to shop without fear that their credit card information will be stolen,” Mass. Attorney General Maura Healey said in a statement. “This settlement makes clear that we expect retailers to take meaningful steps to protect consumers’ credit and debit card information from theft.”
Target had announced the breach on Dec. 19, 2013, saying it occurred between Nov. 27 and Dec. 15 of that year. It affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers.
The information of about 1.5 million Massachusetts residents was compromised as a result of the breach.
Target’s data breach was the first in a series of scams that hit other retailers including SuperValu and Home Depot. It forced the retail industry, banks and card companies to increase security and sped the adoption of microchips into U.S. credit and debit cards.
An investigation by the states found that in November 2013, scammers got access to Target’s server through credentials stolen from a third-party vendor. They used those credentials to take advantage of holes in Target’s systems, accessing a customer service database and installing malware that was used to capture data, including full customer names, telephone numbers, email and mailing addresses, credit card numbers, expiration dates and encrypted debit PINs.
The settlement requires Target to maintain appropriate encryption policies and take other security steps, though the company has already implemented those measures. Reck said the costs of the settlement are reflected in the reserves that Target has previously disclosed.
(© Copyright 2017 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)