Target has agreed to pay $10 million to people affected by the breach of its systems in 2013 that saw 40 million credit and debit card numbers stolen. According to court documents, the retailer's proposed settlement — which has yet to be approved by a federal judge — could pay individuals up to $10,000 in compensation. A court hearing to approve the proposal is scheduled for Thursday.
The deal has not yet been approved by a judge
The proposed settlement is dwarfed by the $200 million banks and credit unions had to spend to provide new cards and reimburse customers who lost money, but might cover customers who had non-payment details stolen — in addition to credit and debit card details, the perpetrators of the attack were also able to get their hands on more than 70 million names, email addresses, and phone numbers. The attackers accessed Target's network using credentials stolen from a contractor, before uploading malware supposedly designed by a Russian teenager to infect the retailer's point-of-sale devices. Over several weeks in late 2013, from Black Friday to mid-December, they were able to skim data from customers who purchased items in almost every one of the company's 1,934 US stores.
The company fast-tracked new security measures in the wake of the attack, but the breach was damaging. In February 2014, it became clear Target knew about the security hole weeks before the attack began, but declined to fix it, leading to the resignation of both the company's head of technology and its CEO. But, somewhat ironically, the retailer wasn't the only target of point-of-sale malware hackers — in the months that followed, Home Depot, Nieman Marcus, and restaurant chain PF Chang;s were among those caught out by attackers using the same method. As of August last year, the Department of Homeland Security said more than 1,000 US businesses had been affected by the cyberattacks.