Target has reached a $67m agreement with Visa over the massive data breach of customers’ payment data during the 2013 holiday shopping season that raised serious questions about the company’s data security systems.
The company said the required number of card issuers had entered into the agreements. It
declined to say how much the issuers would be reimbursed. However, a person familiar with the settlement said the amount that Target had agreed to fund Visa and its issuers was up to $67m. The breach has been estimated to have cost banks more than $200m.
“Offers are being extended to the remaining group of eligible Visa issuers using a settlement formula that would enable them to achieve the same economics as the Visa issuers that have already settled with Target and Visa,” the company said.
The 2013 hack resulted in the theft of about 40m customers’ credit card details and about 70m customers’ names and contact details. The breach shook consumer confidence in Target, hitting sales in the months following the disclosure of the stolen data – according to the FT.
Identity and credit card data theft is becoming an increasing headache for retailers, with the number of US breaches in 2014 climbing to a record high of 783, according to the Identity Theft Resource Center, a 27.5%increase from the previous year. The ITRC said that since it started collecting data in 2005, there had been more than 5,000 incidents of data theft of more than 675m records.
Lloyd’s, the UK insurer, has estimated that the total cost of cyber attacks to businesses has reached as much as $400bn a year.
The Target settlement was not greeted warmly by all involved.
Carrie Hunt at the The National Association of Federal Credit Unions said Congress “should enact national data security standards for retailers and hold them directly accountable for their data breaches”.
She added that while the settlement was a start credit unions deserve to be fully compensated for their losses.
Charles Zimmerman of Zimmerman Reed, class counsel for five banks over the data breach, urged his clients not to accept the settlement, accusing the companies of negotiating the deal “under a veil of secrecy”.
The banks being represented are Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain.
Since the breach, Target has been investing in improving its data security systems. The measures it has taken include strengthening its monitoring and logging capabilities, installing whitelisting (or anti-spam) point-of-sale systems and a comprehensive firewall governance process.
It has also limited vendor access to the server involved in the breach and enhanced security of accounts, it has said.
Target said that it had already accounted for the costs of the settlement in its previous results.
Visa said it “has worked to help Target reach a resolution for the expenses incurred by financial institutions as result of the 2013 compromise. Nevertheless, the fact remains that data breaches are an unfortunate situation for all parties involved – especially consumers”.
“This agreement attempts to put this event behind us, and increase the industry’s focus on protecting against future compromises with new technologies.”
Target’s shares closed 0.9%higher at $79.69.