US retailer Target could pay up to $67m to Visa and banks that issue Visa cards for the costs incurred as a result of the devastating hack in which the payment card details of 40 million customers were stolen.
The attack, which occurred in 2013, saw approximately 110 million Target customers’ personal data being stolen, and the company has since faced legal action from consumer groups and financial institutions over the breach.
However, any bank that agrees to this settlement deal will have to drop their involvement in any other legal action, according to Reuters. Many Visa card-issuing banks support the legal action brought forward by Visa, according to The Wall Street Journal.
Target is now working on a similar deal with MasterCard, after an initial $19m settlement was not supported by a sufficient number of MasterCard-issuing banks.
The US retailer’s card details were stolen after the attackers, using compromised network-access credentials stolen from one of the company’s suppliers, were able to plant malware onto Target’s security and payments system. This enabled them to cream off the credit card details from every transaction at the company’s 1,797 US stores.
While the attack was spotted almost straightaway by FireEye, the company’s security monitoring company, and by its own IT security staff in Bangalore, staff at the company’s headquarters completely failed to heed their warnings. Target head office staff only responded when the US Department of Justice notified the retailer of the breach in mid-December 2013.
Had Target acted on the initial warnings, the attack would have been prevented.
As a result of the hack, Target’s CEO Gregg Steinhafel and its CIO Beth Jacob resigned from their roles. The firm hired Bob DeRodes in a fire-fighting CIO role in the aftermath of the hack, but he has since retired and been replaced by former Tesco CIO Mike McNamara.