US retailer Target has agreed to a $10m compensation package for victims of its 2013 data breach.
Lawyers for customers who filed a class action suit have asked the judge in the case to approve Target’s offer, which could see individuals getting up to $10,000 in damages, according to NBC News.
The class action claimed compensation for unauthorised payment card charges, lost access to accounts, card replacement fees and credit monitoring costs.
As many as 40 million payment card account details were exposed in the breach between 27 November and 15 December 2013, which is believed to have affected up to 70 million customers.
In addition to the payment card details, attackers are believed to have stolen records that included names, addresses, email addresses and phone numbers.
Up to three million of the payment card details are believed to have been sold on the black market and used for fraud before issuing banks cancelled the rest.
In addition to the compensation package, Target has agreed to appoint a chief information security officer (CISO) who will oversee employee training on securing customers’ personally identifiable information.
Target does not appear to have had a dedicated CISO prior to the breach, which was followed by the resignation of the retailer’s CIO and CEO in quick succession.
“We are pleased to see the process moving forward and look forward to its resolution,” Target said in a statement.
But even if the package is approved, that will not be the end of the breach-related costs. More costs could be on their way, with several financial institutions poised to go ahead with lawsuits over losses associated with the Target breach.
Invest [in security] now or pay later is the message from the Target breach
Steve Hultquist, RedSeal
In February, Target declared a cost of $162m in the company’s annual financial report, but commentators said the total could be $1bn or more after all claims are paid.
Steve Hultquist, chief evangelist at security firm RedSeal, said even a significant investment in proactive security analytics and process improvements would have given a good return on investment for Target.
“Invest now or pay later – this is the message from the Target breach. Making strategic investments now is a wise preventative measure to keep your organisation and your customers safe,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK