US retail giant Target is set to pay disgruntled customers $10m to settle a class action lawsuit resulting from its 2013 data breach, which customers claim exposed their personal details to fraudsters.
Court documents seen by Reuters claim that Target will pay the money, which amounts to up to $10,000 per individual, into an interest-bearing escrow account.
A dedicated website would be set up to handle the processing of claims, the newswire said.
The proposals, which apparently still need to be approved by a federal court, also require Target to appoint a CISO alongside other unspecified data security improvements.
A court hearing on the proposed settlement is set for Thursday in St Paul, Minnesota, reports claim.
“We are pleased to see the process moving forward and look forward to its resolution,” Target spokeswoman Molly Snyder said in a statement.
Target actually appointed its first ever CISO – former General Motors CISO Brad Maiorino – back in June last year, months after the huge data breach was discovered.
That intrusion is believed to have been made possible after hackers spear-phished employees at Target contractor and air conditioning systems provider Fazio Mechanical Services, which at the time is said to have only been running free AV software.
The attack, one of the largest of its kind, occurred at the end of November and mid-December 2013, with information from around 40 million credit and debit cards and personal information from as many as 100m+ customers stolen.
The breach has already cost Target over $140m, according to regulatory filings, and forced the resignation of its CIO and likely contributed to the CEO’s departure.
It began a spate of high profile PoS data breach incidents among US retailers in 2014, with the likes of Home Depot, Neiman Marcus and Goodwill all falling victim to targeted attacks.
Andy Harris, engineering director at security vendor Osirium, argued that the settlement, if accepted, would be lower than expected.
It effectively values the damages per card at just 25 cents (40 million card details, $10 million settlement) or personal details at 9 cents per person,” he told Infosecurity by email.
“The American Class Action approach is unique but still serves to show that data protection should be taken seriously.”