Target reaches $18.5 million settlement with states over 2013 data breach

Target reached a settlement Tuesday that requires the company to pay $18.5 million to 47 states, including Minnesota, and the District of Columbia over its 2013 data breach.

The states’ investigation into the data breach found that in November 2013, cyber attackers gained access to Target’s gateway server and exploited weaknesses in the company’s system, according to a statement from the New York Attorney General's office. The hackers installed malware on the system and used it to capture consumer data, including full names, telephone numbers, email and mailing addresses and payment card numbers.

The data breach affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million consumers.

In addition to paying the states, the Minneapolis-based retailer also agreed to develop, implement and maintain a comprehensive information security program to better protect the personal information of its customers.

The agreement is the largest multi-state data breach settlement ever achieved.