The proposed $19 million settlement between Target (NYSE:TGT) and MasterCard (NYSE:MA) over losses incurred from the 2013 data breach has fallen through. The deal did not gain enough support from credit card issuers.
Under terms of the April 16 agreement, at least 90 percent of the card issuers hurt by the breach had to affirm the settlement by May 20, but that did not happen, MasterCard and Target confirmed, according to the Star Tribune.
The attorneys for the lead plaintiffs, a group of smaller banks, cheered the setback for Target and MasterCard. They have brought a federal lawsuit against Target and said the proposed settlement was too little relief. The settlement was "laughable," they said, while attacking it for going around the courts. Their lawsuit, which they hope to give class action status later this year, is making its way through the U.S. District Court in St. Paul. It is expected to go to trial in March 2016.
"We are pleased that financial institutions have resoundingly rejected Target and MasterCard's attempt to avoid fully reimbursing the losses suffered during one of the largest data breaches in U.S. history," attorneys Charles Zimmerman and Karl Cambronne said in a joint statement. "Financial institutions clearly saw through Target's misleading statements and efforts to extinguish pending legal claims for pennies on the dollar."
The National Association of Federal Credit Unions is also pleased to see the end of the settlement. "The failure to opt in to the settlement by financial institutions sends a strong signal to card companies that the current reimbursement system does not work and financial institutions need to be made whole," Carrie Hunt, a senior VP of the association, said in a statement.
While confirming the settlement's end in an email, Target spokesperson Molly Snyder told Reuters the retailer had "nothing further to share at this time."
MasterCard will apparently continue to seek a settlement. "At this stage we will continue to work to resolve the matter," MasterCard said in a statement.
The two sides are to return to court on May 27 to discuss how the suit will proceed before U.S. District Judge Paul Magnuson, reported the Pioneer Press.
The plaintiffs had tried to block parts of the deal earlier this month. They said MasterCard claimed the $19 million would cover 71.4 percent of the banks' breach-related costs, but said that percentage was not representative of the actual costs banks and credit unions suffered. MasterCard is not a party to the lawsuit.
Federal judge Magnuson denied that attempt because the lawsuit has not yet been certified as a class. He said the settlement might not "pass the smell test."
MasterCard initially demanded that Target pay more than $26 million to its card-issuing banks for damages from the data breach, the judge wrote, but later agreed to $19 million.
According to court documents, about 8.8 million MasterCard accounts were affected by the data breach. Visa is reported to have a larger portion of card accounts affected by the breach, but remains in talks with Target.
The credit and debit card information of roughly 40 million customers was stolen during the 2013 holiday shopping season when hackers broke into Target's point-of-sale system. The personal information of an additional 70 million people was compromised.
Target's expenses related to the breach are about $256 million so far, $90 million of which is expected to be covered by insurance. In March, Target reached a separate $10 million settlement to resolve a class action lawsuit brought by consumers whose cards were stolen.
Target breach cost $148 million; tech hub opens in Silicon Valley
Target: Timeline of a data breach
Target's data breach is a story with long legs
How to prevent Target-like data breaches
Target catches a break in data breach lawsuit