Target US pays $25m to states to settle data breach

Target US has agreed to pay US$18.5 million (A$24.7 million) to settle claims by 47 states and the District of Columbia and resolve a multi-state investigation into the retailer's massive data breach in late 2013.

The investigation — led by the attorneys-general of Connecticut and Illinois — found that attackers had accessed Target's gateway server through credentials stolen from a third-party vendor.

In one of the biggest data breaches to hit a US retailer, Target had reported that hackers stole data from up to 40 million credit and debit cards of shoppers who had visited its stores during the 2013 holiday season.

California will receive more than US$1.4 million from the settlement, the largest share of any state, California attorney-general Xavier Becerra said.

The costs associated with the settlement are already reflected in the data breach liability reserves that Target has previously recognised and disclosed, the company said in a statement.

Target also said the total cost of the data breach had been US$202 million.

Target spokeswoman Jenna Reck said the company has so far settled with financial institutions and states but is yet to finalise a consumer settlement.

"There is a class action settlement that is outstanding. We have reached an agreement but it hasn't been legally finalised yet."

As part of the settlement announced today, Target is required to adopt advanced measures to secure customer information such as employing an executive to oversee a comprehensive information security program as well as advise its chief executive and board.

The company is also required to hire a independent, qualified third party to conduct a comprehensive security assessment and encrypt or otherwise protect card information to make it useless if stolen.

The retailer's shares were down 0.6 percent at US$55.13 in afternoon trade.