Target, the shopping behemoth for people who are too classy to go to Walmart, has today reached a settlement with 47 states and the District of Columbia over the 2013 hacking incident that saw 70 million customers lose their personal information.
In December 2013, at the height of the shopping season, the retailer announced that it had suffered a major malware infection in its payment systems. Up to 40 million credit and debit cards had been skimmed. The following month the number increased to 70 million as investigators sorted out the mess.
The fiasco ended up costing CEO Gregg Steinhafel his job, after 35 years with the company. The retailer also firmed up its point-of-sale security with the introduction of tougher chip-and-PIN-card technology.
As break-ins go it was a massive hit, possibly the biggest theft of customer data ever reported. The states promptly took Target to task and on Tuesday the firm said that it had finally reached a settlement for the issue.
"We've been working closely with State Attorneys General for several years to address claims related to Target's 2013 data breach," a Target spokeswoman told The Register.
"We're pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed."
All of the money will go to the states, she explained, since this is not a settlement with consumers. The funds will go to states' budgets for them to disburse as they see fit.
As fines go, $18.5m might sound like a lot – but Target made over $20bn in profits last year. Therefore the fine will cost the retailer a little less than eight hours profits, so it's hardly a big financial hit for the company.
That said, Target has also allocated some $10m in compensation for its customers and has paid out $40m to banks and credit card companies to compensate for losses. But it's still hardly enough to amount to more than a slap on the wrist. ®