- Holiday hack exposed as many as 40 million payment cards
- Financial firms incurred estimated $200 million in costs
Target Corp. will pay about $39 million to banks and credit unions to resolve losses from a 2013 holiday-season data breach, as retailers and financial institutions continue to grapple with the costs of major hacker attacks.
Financial institutions sued the Minneapolis-based retailer to recover an estimated $200 million in losses stemming from the hack, in which as many as 40 million payment cards were exposed. Lawyers for the banks argued the retailer failed to take precautions to protect the customer data.
The settlement comes as reports of data breaches mount. Other major breaches within the past couple of years include hacks of Home Depot Inc., JPMorgan Chase & Co., auction site eBay Inc. and health insurer Anthem Inc. In the latest, VTech Holdings Ltd. of Hong Kong said Wednesday that hackers who infiltrated its online services had gained access to the profiles of more than 6 million children.
Settlement negotiations between retailers and banks over the coverage of losses from hacks have been complicated by payment card firms that step in to cut their own deals. Lawyers for the banks in the Target case had criticized attempts by card firms Visa Inc. and MasterCard Inc. to negotiate separate settlements with their clients and the retailer outside of the litigation.
Similarly, in a lawsuit against Home Depot over a 2014 hack, lawyers for banks said in a filing on Nov. 30 that they had reason to believe MasterCard is working on its own deal. The filing did not provide details or the amount of the potential settlement.
Seth Eisen, a spokesman for MasterCard, said the payment card company and "several of our larger issuing customers have been in discussions with The Home Depot to settle claims related to the 2014 data breach." Stephen Holmes, a spokesman for the home improvement chain, said Home Depot has reached a "tentative agreement."
In a memorandum filed Wednesday describing the Target accord, lawyers for the banks and credit unions said Target will contribute more than $20 million to a general settlement fund and more than $19 million to a separate recovery program handled by MasterCard. In an order Wednesday in St. Paul, Minnesota, U.S. District Judge Paul A. Magnuson granted preliminary approval to the settlement and said that it is "fair, reasonable and adequate." The deal will require final approval. A hearing is scheduled for May 10.
The settlement provides "compensation well beyond what the card brand networks offered,” Charles Zimmerman, a lawyer for the financial institutions, said in a statement.
Target spokeswoman Molly Snyder said the retailer is “pleased that the process is continuing to move forward.”
The Consumer Bankers Association said member costs for card replacements and other expenses stand at about $172 million. The Credit Union National Association said its members have shelled out $30.6 million.
The National Association of Federal Credit Unions, another trade association, said more needs to be done by policy makers to address the costs of breaches. The group said retailers should be required to adopt “national data security standards” and be held “directly accountable for their data breaches.”
The case is IN RE: Target Corporation Customer Data Security Breach Litigation, 14-md-02522, U.S. District Court, District of Minnesota (St. Paul).