Target pays out largest multi-state settlement after breach: $18.5 million

Target has reached an agreement with 48 states related to its 2013 credit card breach that impacted 41 million Target customers.

The breach occurred when Target gave network access to a contractor it had hired, whose cybersecurity wasn’t as secure as Target’s.

A hacker was able to get through the contractor’s defenses, then use its credentials to gain access to Target’s network.

Target agreed to pay $18.5 million to the states, but the cost of the breach is much more than that.

In addition, Target paid more than $200 million in legal fees and other costs to shore up its data protections.

It had also previously agreed to pay $70 million to reimburse the financial institutions affected by fraudulent use and replacement of the credit cards.

Part of the agreement requires Target to hire a chief security officer who will oversee and implement a cybersecurity plan.

Target also is now required to use two-factor authentication for any staff trying to access server data, as well as a rotational password policy for both staff and contractor accounts.