US retailer Target has agreed to a $10m compensation package for victims of its 2013 data breach.
The class action claimed compensation for unauthorised payment card charges, lost access to accounts, card replacement fees and credit monitoring costs.
As many as 40 million payment card account details were exposed in the breach between 27 November and 15 December 2013, which is believed to have affected up to 70 million customers.
In addition to the payment card details, attackers are believed to have stolen records that included names, addresses, email addresses and phone numbers.
Up to three million of the payment card details are believed to have been sold on the black market and used for fraud before issuing banks cancelled the rest.
Read more about the cost of cyber attacks
- Cyber crime costs businesses across the globe an estimated £265bn a year, according to a June 2014 study.
- Targeted cyber attacks could cost up to £1.6m, according to a July 2013 study.
- Security professionals have warned businesses not to rely on cyber insurance in the face of increased cyber attacks.
- Halting cyber crime could have a positive effect on global economy, according to Intel.
In addition to the compensation package, Target has agreed to appoint a chief information security officer (CISO) who will oversee employee training on securing customers' personally identifiable information.
Target does not appear to have had a dedicated CISO prior to the breach, which was followed by the resignation of the retailer’s CIO and CEO in quick succession.
“We are pleased to see the process moving forward and look forward to its resolution,” Target said in a statement.
But even if the package is approved, that will not be the end of the breach-related costs. More costs could be on their way, with several financial institutions poised to go ahead with lawsuits over losses associated with the Target breach.
Invest [in security] now or pay later is the message from the Target breach
Steve Hultquist, RedSeal
In February, Target declared a cost of $162m in the company’s annual financial report, but commentators said the total could be $1bn or more after all claims are paid.
Steve Hultquist, chief evangelist at security firm RedSeal, said even a significant investment in proactive security analytics and process improvements would have given a good return on investment for Target.
“Invest now or pay later – this is the message from the Target breach. Making strategic investments now is a wise preventative measure to keep your organisation and your customers safe,” he said.