Target Corp has agreed to pay $10 million in order to settle a class-action lawsuit related to a 2013 breach that compromised users’ financial and personal information, according to court documents.
The proposed settlement, which has yet to be heard in federal court, would require Target to deposit the total settlement amount into an escrow account, which the retailer would use to compensate victims at up to $10,000 each.
Those payments would be processed via the use of a dedicated website, where victims would be asked to film out a form and provide “reasonable documentation showing their losses more likely than not arose from the Target data breach (for example, a credit card statement, invoice or receipt)….”
In addition to compensating victims, Target would agree to appoint a chief information security officer, who would oversee the security training of all Target employees, and to maintain a written information security policy.
“We are pleased to see the process moving forward and look forward to its resolution,” said Molly Snyder, Target spokesperson, in a statement to CBS News.
During the 2013 holiday shopping season, the retailer suffered a data breach that compromised at least 40 million credit cards and may have led to the theft of as many as 110 million customers’ personal information, including email addresses and phone numbers.
A staff report released by the Senate Commerce, Science and Transportation Committee in spring of last year reveals that Target failed to respond to reports of malware being installed on its systems and ignored other warnings of how the attackers would exfiltrate customers’ stolen data.
Despite this apparent negligence, Target worked to prevent victims from filing a class-action lawsuit in response to the breach, claiming that they could not establish any injury. However, a U.S. judge rejected the retailer’s argument back in December, a decision which effectively allowed victims to sue Target.
A $10 million proposal would see that each victim receives some compensation. Even so, Target may still face legal action originating from banks, which might seek to recover their losses after those responsible for the breach made fraudulent purchases using customers’ stolen credit cards