NPR logo Target Offers $10 Million Settlement In Data Breach Lawsuit

America

Target Offers $10 Million Settlement In Data Breach Lawsuit

Shoppers line up outside a Target store in South Portland, Maine. i

Shoppers line up outside a Target store in South Portland, Maine. Robert F. Bukaty/AP hide caption

toggle caption Robert F. Bukaty/AP
Shoppers line up outside a Target store in South Portland, Maine.

Shoppers line up outside a Target store in South Portland, Maine.

Robert F. Bukaty/AP

Target has agreed to pay $10 million to settle a class-action lawsuit related to the company's 2013 data breach.

Court documents show hacking victims could get as much as $10,000 apiece.

U.S. District Court Judge Paul Magnuson indicated a hearing Thursday in St. Paul, Minn., that he planned to grant preliminary approval of the 97-page settlement, The Associated Press reported.

As the Two-Way reported, Target said immediately after the breach that "as many as 40 million credit and debit card accounts may have been impacted" in the hack. But that number quickly ballooned 70 million people affected when taking into consideration other personal information that was stolen. The breach affected holiday shoppers at Target from Nov. 27 through Dec. 18 2013.

The retailer now estimates that about 42 million people had their credit or debit information stolen, according to the court documents, with the largest totals coming from California (7.8 million), Texas (3.6 million) and Florida (2.9 million).

Target also estimates that close to 61 million people had their personal data stolen. That information could include names, mailing addresses, phone numbers and email addresses.

The proposed settlement would also require the Minneapolis-based Target Corp. to implement changes to its security policies within 10 business days of the settlement becoming effective.

Those changes would include requiring the company to:

  • Appoint a chief information security officer
  • Keep a written information security program, which will document potential security risks, and develop metrics to measure the security of its systems
  • Offer security training to "relevant" workers that educates them about the importance of safeguarding personal identifying information

Target Spokesperson Molly Snyder said in an emailed statement to CBS News, "we are pleased to see the process moving forward and look forward to its resolution."

For victims of fraud to get money as part of the settlement, they have to have experienced at least one of the following as a result of the breach:

  • Unauthorized, unreimbursed charges on their credit or debit card
  • Time spent addressing charges
  • Fees to hire someone to correct a credit report
  • Higher interest rates or fees on accounts
  • Credit-related costs like buying credit reports
  • Costs to replace their identification, Social Security number or phone number

The settlement requires "reasonable documentation" proving losses; losses can't be claimed based solely on "personal declaration" by the victim it concludes.

The form does provide a space for a claimant to explain some other unreimbursed expense that came as a result of the breach.

The CEO at the time of the breach, Greg Steinhafel, stepped down in May.

Target named Brian Cornell, formerly of PepsiCo Americas Foods, the largest of PepsiCo's four divisions, to the post in July.

Target's rough stretch continued into this year, with the company announcing in January the closing all 133 of its stores in Canada. The move resulted in the company also laying off more than 17,000 workers.

Earlier this month, the company laid off another 1,700 employees at its headquarters and slashed 1,400 more open positions.

Still, there remains optimism on Wall Street, the AP reports, with the retailer's stock trading above $80 for the first time on Monday.

You can look through the proposed settlement here:

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.