Target agrees to $18.5 million settlement over 2013 data breach

US retail giant Target has agreed to pay $18.5 million to settle an investigation into a massive data breach that occurred before Christmas in 2013, New York’s attorney general has announced.

Tens of millions of customers were affected by the data breach.

The money will go to 47 states and the District of Columbia. It is the largest multistate data breach settlement in history.

The hackers managed to access Target’s servers using credentials stolen from a third-party vendor. They then installed malware (malicious software) and gathered sensitive personal information of the retailer’s customers, including payment card numbers, names, and mailing addresses.

As part of an effort to prevent future breaches, Target says it will also “develop, implement and maintain a comprehensive information security program and … employ an executive or officer who is responsible for executing the plan.”

New York Attorney General Schneiderman said in a statement on the settlement:

“This settlement marks an important win for New Yorkers — bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward.”

George Jepsen, Connecticut’s attorney general, said:

“Millions of consumers…across the country were impacted by this data breach and by what we believe, through our multistate investigation, were Target’s inadequate data security protocols.”