Target settlement could make other hacked retailers liable

Target has agreed to pay $10 million to settle a class-action lawsuit stemming from a massive data breach that compromised the information of up to 40 million shoppers during the 2013 holiday season. Target will pay affected shoppers up to $10,000 each in damages. 

Shoppers arrive at a Target store in Los Angeles. Target has proposed to pay $10 million to settle a class-action lawsuit brought against it following a massive data breach in 2013.

Damian Dovarganes/AP/File

March 19, 2015

The 2013 holiday shopping season is most likely one Target would rather forget. It came a step closer this week.

The retailer has agreed to pay $10 million to settle a class-action lawsuit stemming from a massive data breach in which hackers broke into Target's computer system and stole credit and debit card information of up to 40 million shoppers (other shoppers had information like e-mail and mailing addresses stolen, pushing the number potentially higher). Individual shoppers could receive up to $10,000 in damages, according to court documents. The proposed settlement will be heard in a court in Minnesota on Thursday. 

"We are pleased to see the process moving forward and look forward to its resolution," Target spokesperson Molly Snyder told CBS News, which first confirmed the story. 

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

Customers will be able to submit claims online through a stand-alone website.

The Target breach was carried out between Nov. 27 and Dec. 15, 2013. Hackers installed malware on the retailer's payment machines, capturing card data when shoppers swiped cards to make payments, affecting customers at all 1,797 of Target's US locations. It was among the largest retail hacks of its kind.

By the end of that year, several lawsuits were filed against the Minneapolis-based company, seeking millions in damages. The Justice Department soon launched its own investigation; in 2014, spurred in part by Target's delay in disclosing the breach, Attorney General Eric Holder urged Congress to to introduce legislation to create "a strong national standard" requiring retailers to quickly alert consumers and law enforcement when shopper data is compromised. This week's settlement would also require Target to adopt additional data security measures, including appointing a chief information security officer and maintaining a written information security program, according to Reuters. 

In an August 2014 earnings report, Target disclosed that the hack had cost the company $148 million, before the legal action. 

The after-effects of the Target breach, which was notable both for its breadth and its sophistication, have rippled through the US retail industry since. Chains including Neiman Marcus, Home Depot, P.F. Chang's, Jimmy John's, and Staples faced their own data breaches. The hacks have amplified calls for better consumer data protection. For example, many have urged merchants and banks to phase out magnetic-stripe credit cards and convert to computer chip-based card technology (also known as EMV), already in wide use in Europe and other parts of the world. Several banks and credit card companies are in the process of adopting the technology, and Target has invested $100 million to convert its customer credit card program.

In the race to attract students, historically Black colleges sprint out front

This week's proposed settlement, too, could set a precedent for other retailers that fall victim to data hacks.

"Consumers and banks have routinely brought negligence claims against businesses such as Target that have suffered a data breach," Jaikumar Vijayan argued in the Christian Science Monitor's Passcode blog in December, after a state court allowed the class-action suit to move forward. "However, this is the first time in a data breach case of this magnitude that a court has said a company can be sued for failing to respond to warnings from security software. That decision could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches."

Target, meanwhile, is working to move forward after a tumultuous year. Last week, the company announced 1,700 layoffs at its Minneapolis headquarters. In January, Target axed its entire operation in Canada, just a few years after launching an ambitions expansion into the country. 

Also this week, to keep pace with wage hikes at other major retailers, Target pledged to raise its minimum pay rate to $9 per hour by next month.