Under-fire US retailer Target has revealed yet another major cost related to the massive data breach it experienced at the end of 2013 – a $19m pay-off to MasterCard.
The Minneapolis-headquartered nationwide chain announced the settlement agreement with the card provider on Wednesday.
It said:
“Under the agreement, alternative recovery offers will be made by MasterCard to eligible MasterCard issuers worldwide that issued MasterCard-branded payment cards claimed to have been affected by the data breach, and MasterCard will recommend that such eligible issuers accept their offers.
Target has agreed to fund up to $19m pre-tax in alternative recovery payments, depending on the extent of eligible issuer acceptances.”
Issuers who accept the deal will be paid by the end of the second quarter this year, Target said.
“We are hopeful that Target’s agreement to pay up to $19m to settle the claims of MasterCard and its issuers will result in a high level of issuer acceptance,” said the firm’s president of financial and retail services, Scott Kennedy.
“Target intends to continue to defend itself vigorously against any assessments made by MasterCard on behalf of MasterCard issuers that do not accept their offers.”
The $19m outlay is just the latest financial penalty the retailer has been forced to pay as a result of a breach in December 2013 which resulted in the theft of 40 million card details.
The retailer has already admitted forking out over $160m as a result of the breach, a figure which would have been even higher were it not for insurance pay outs.
Security experts have claimed that the incident could end up costing the firm close to $1bn if legal action goes ahead.
Target has yet to reach a similar agreement with Visa.
David Flower, EMEA managing director for Bit9 + Carbon Black, argued that the MasterCard pay-out proves how long the effects of a data breach can last.
“This should act as a cautionary tale to other businesses – particularly those that handle customer data – that network security alone is not enough. Organizations need to make sure they are securing every endpoint device, whether that a desktop, a server, or a point-of-sale (PoS) device,” he told Infosecurity.
“Companies that fail to recognize the need for security on their endpoint devices are sitting ducks; it’s just a matter of time before they suffer the same fate as Target. The question to ask yourself is: do you think your business could survive?”