Target Corp. has agreed to pay $18.5 million as part of a settlement with 47 states, including Maryland plus Washington, D.C., over the retailer's 2013 data breach, Maryland Attorney General Brian E. Frosh said Tuesday.
The largest-ever multi-state data breach settlement resolves the states' investigation into the matter, Frosh said.
The breach affected more than 41 million customer payment card accounts, the states alleged. It also exposed contact information for more than 60 million customers, including consumers' names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates and encrypted debit personal identification numbers, the states said.
"We're pleased to bring this issue to a resolution for everyone involved," said Jenna Reck, a Target spokeswoman, in an email.
She said the retailer has worked with state attorneys general for several years to address claims. The costs associated with the settlement were included in data breach liability reserves that Target previously disclosed.
The settlement requires Target to take steps such as hiring an executive who will oversee a comprehensive information security program, hiring a third-party to conduct a comprehensive security assessment and maintaining encryption policies to protect cardholder and personal information.
The states alleged that cyber attackers accessed Target's gateway server, using a third-party vendor's credentials. The attackers accessed a customer service database and installed malware to capture personal information.