US retailer Target has agreed to pay banks issuing MasterCard up to $19m to help them recover losses suffered in a 2013 data breach when up to 40 million accounts were breached.
Banks and card issuers incurred costs by reissuing credit and debit cards after the breach, as well as losses from fraudulent charges on those cards.
The settlement is conditional on the issuers of at least 90% of eligible MasterCard accounts accepting it.
Scott Kennedy, president, financial and retail services at Target, said the company hopes for a high level of issuer acceptance. “Target intends to continue to defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers,” he added.
Last month, Target agreed to a $10m compensation package for victims of the 2013 data breach. The company also agreed to appoint a chief information security officer (CISO) who will oversee employee training on securing customers' personally identifiable information.
Read more about the cost of cyber attacks
- Cyber crime costs businesses globally £265bn a year, according to a June 2014 study.
- Targeted cyber attacks could cost up to £1.6m, according to a July 2013 study.
- Security professionals warn businesses not to rely on cyber insurance as cyber attacks increase.
- Halting cyber crime could have a positive effect on global economy, says Intel.
Lawyers for customers who filed a class action have asked the judge in the case to approve Target's offer, which could see individuals receiving up to $10,000 each in damages.
The class action claimed compensation for unauthorised payment card charges, lost access to accounts, card replacement fees and credit monitoring costs.
Up to 40 million payment card account details were exposed in the breach, between 27 November and 15 December 2013, which is believed to have affected up to 70 million customers.
As well as the payment card details, attackers are believed to have stolen records that included names, addresses, email addresses and phone numbers.
Up to three million sets of payment card details are believed to have been sold on the black market and used for fraud before the issuing banks cancelled the rest.