Target (NYSE:TGT) has settled a class-action lawsuit stemming from the 2013 data breach, agreeing to pay $39 million to cover the costs incurred by banks and other credit card issuers.
During the fall of 2013, cyber-thieves gained access to the charge card information of 40 milllion Target customers and the personal information of up to 70 million.
Visa and MasterCard had previously reached settlements with Target and today's settlement is the last piece of outstanding litigation stemming from the breach, including the financial institutions not covered in previous settlements, according to the Star Tribune.
"Banks who decided not to merely waive their claims but cast their lot with this class case are going to be handsomely benefiting from it," a lead attorney at Karl Cambronne of Chestnut Cambronne told the Star Tribune.
In all, Target will have paid roughly $329 million in expenses related to the breach, including the cost of replacing security systems and installing new point-of-sale terminals, estimated at $100 million. Insurance covered just $90 million.
Target's liability was somewhat unprecedented, as financial institutions are typically liable for the costs to replace cards and the reimbursement for fraudulent charges. But in December 2014, Target was found negligent by ignoring warnings and allowing hackers to gain access through a Pennsylvania-based heating and refrigeration contractor.
In the fallout, Target CIO Beth Jacob resigned, as did Target CEO Gregg Steinhafel.
Target: Timeline of a data breach
New malware poses Black Friday risk
How to keep EMV confusion from ruining Christmas
Target switches to PIN card for better security
Target found negligent in data breach, argues against culpability