Target to pay $18.5M for data breach

Target Corp. will pay $18.5 million to 47 states and the District of Columbia as part of a settlement over a 2013 data breach that compromised tens of millions of customers' credit and debit card information.

Of that amount, Pennsylvania will receive $469,000, and New Jersey will receive $680,411 according to a news release.

Alabama, Wisconsin and Wyoming were not part of the settlement announced Tuesday.

As part of the settlement, the Minneapolis-based retailer will also be required to employ an executive to manage a "comprehensive information security program" and advise the company's chief executive and its board of directors, according to a statement from the office of the California attorney general.

Target will also need to hire an independent third party to do a comprehensive security assessment, according to a statement from the New York attorney general's office.

Target will also need to add other cybersecurity measures, including encrypting payment card information so the data are useless if stolen, separating its cardholder data from the rest of its computer network, and instituting password rotation policies and two-factor authentication for certain accounts.

Target said it was "pleased to bring this issue to a resolution for everyone involved." The retailer added that the costs associated with this settlement were "already reflected in the data breach liability reserves that Target has previously recognized and disclosed."

The 2013 data breach led to the resignation of longtime Target CEO Gregg Steinhafel. It also hurt the company's sales and profits.

Target has since overhauled its security systems and settled other lawsuits related to the breach, including one from credit card company Visa Inc. A $10 million settlement for a class-action lawsuit brought by consumers is still going through the court system, though it received preliminary approval from a federal judge in 2015.