The 2013 holiday shopping season is most likely one Target would rather forget. It came a step closer this week.
The retailer has agreed to pay $10 million to settle a class-action lawsuit stemming from a massive data breach in which hackers broke into Target's computer system and stole credit and debit card information of up to 40 million shoppers (other shoppers had information like e-mail and mailing addresses stolen, pushing the number potentially higher). Individual shoppers could receive up to $10,000 in damages, according to court documents. The proposed settlement will be heard in a court in Minnesota on Thursday.
"We are pleased to see the process moving forward and look forward to its resolution," Target spokesperson Molly Snyder told CBS News, which first confirmed the story.
Customers will be able to submit claims online through a stand-alone website.
The Target breach was carried out between Nov. 27 and Dec. 15, 2013. Hackers installed malware on the retailer's payment machines, capturing card data when shoppers swiped cards to make payments, affecting customers at all 1,797 of Target's US locations. It was among the largest retail hacks of its kind.
By the end of that year, several lawsuits were filed against the Minneapolis-based company, seeking millions in damages. The Justice Department soon launched its own investigation; in 2014, spurred in part by Target's delay in disclosing the breach, Attorney General Eric Holder urged Congress to to introduce legislation to create "a strong national standard" requiring retailers to quickly alert consumers and law enforcement when shopper data is compromised. This week's settlement would also require Target to adopt additional data security measures, including appointing a chief information security officer and maintaining a written information security program, according to Reuters.
In an August 2014 earnings report, Target disclosed that the hack had cost the company $148 million, before the legal action.
The after-effects of the Target breach, which was notable both for its breadth and its sophistication, have rippled through the US retail industry since. Chains including Neiman Marcus, Home Depot, P.F. Chang's, Jimmy John's, and Staples faced their own data breaches. The hacks have amplified calls for better consumer data protection. For example, many have urged merchants and banks to phase out magnetic-stripe credit cards and convert to computer chip-based card technology (also known as EMV), already in wide use in Europe and other parts of the world. Several banks and credit card companies are in the process of adopting the technology, and Target has invested $100 million to convert its customer credit card program.
This week's proposed settlement, too, could set a precedent for other retailers that fall victim to data hacks.
"Consumers and banks have routinely brought negligence claims against businesses such as Target that have suffered a data breach," Jaikumar Vijayan argued in the Christian Science Monitor's Passcode blog in December, after a state court allowed the class-action suit to move forward. "However, this is the first time in a data breach case of this magnitude that a court has said a company can be sued for failing to respond to warnings from security software. That decision could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches."
Target, meanwhile, is working to move forward after a tumultuous year. Last week, the company announced 1,700 layoffs at its Minneapolis headquarters. In January, Target axed its entire operation in Canada, just a few years after launching an ambitions expansion into the country.
Also this week, to keep pace with wage hikes at other major retailers, Target pledged to raise its minimum pay rate to $9 per hour by next month.