The Target data breach lawsuit represents one of the largest and most costly retail data breaches in American history. In November 2013, during the height of the holiday shopping season, hackers infiltrated Target’s payment systems and stole payment card information from 40 million customers, along with personal data including names, addresses, phone numbers, and email addresses from 70 million customers. The breach exposed millions of shoppers to potential identity theft and fraudulent charges, forcing Target to issue replacement cards and implement a multi-year settlement process that ultimately cost the company approximately $202 million. What made the Target breach particularly significant was not just its scale, but the legal precedent it set.
Target faced simultaneous lawsuits from state attorneys general, federal regulators, payment card companies, and consumers themselves. The resulting settlements established a benchmark for how companies would be held accountable for data breaches going forward. A customer who made a purchase at Target on November 15, 2013, and later discovered fraudulent charges on their card was among millions who eventually became eligible for compensation through various settlement programs. The Target case remains instructive more than a decade later because it demonstrates both the financial consequences of inadequate cybersecurity and the mechanisms through which consumers can seek recourse when their data is compromised.
Table of Contents
- How Did Hackers Access Target’s Customer Payment Data?
- The Record-Breaking Multi-State Settlement
- The $10 Million Consumer Class Action Settlement
- Payment Card Company Settlements
- The Total Financial Cost and Its Implications
- Security Improvements and Industry Changes
- Long-Term Status and Current Security Outlook
- Conclusion
- Frequently Asked Questions
How Did Hackers Access Target’s Customer Payment Data?
The 2013 Target breach occurred through a vulnerability in the company’s network. Attackers used stolen credentials from a third-party HVAC vendor to gain access to Target’s systems, then navigated through the network to reach the point-of-sale systems where customer payment card data was processed and temporarily stored. The breach went undetected for weeks during the critical holiday shopping season, meaning millions of transactions were processed through compromised systems before Target discovered the infiltration and took corrective action. What made this breach particularly damaging was the timing.
The holiday shopping season is the highest-volume period for retail transactions, so the breach captured payment information from an unusually large number of customers. Additionally, Target initially did not have sufficient encryption protections on its payment processing systems—a failure that became a turning point for the entire retail industry’s approach to payment security. By comparison, smaller retailers that had already implemented encrypted payment systems avoided similar breaches during this period, highlighting the vulnerability of Target’s legacy security architecture. The breach led to immediate consumer impact, with cardholders discovering unauthorized charges within days of shopping at Target. Some customers experienced identity theft lasting years after the breach, as criminals used stolen personal information to open fraudulent accounts.
The Record-Breaking Multi-State Settlement
In 2017, Target reached a settlement with 47 state attorneys general and the District of Columbia for $18.5 million—at the time, the largest settlement ever paid for a data breach involving payment card theft. This settlement was separate from other litigation and specifically addressed consumer protection violations and the failure to implement reasonable data security measures. The multi-state settlement represented a coordinated enforcement action, with each state attorney general’s office contributing to the investigation and negotiation.
The significance of this $18.5 million settlement lay not in its amount relative to Target’s total costs, but in what it signaled about enforcement expectations. State attorneys general demonstrated they would aggressively pursue companies for data security failures, even when those failures resulted from external hacking rather than intentional misconduct. However, critics noted that for a company of Target’s size and profitability, the settlement amount represented only a small fraction of annual revenue—a limitation that raised questions about whether financial penalties alone could adequately deter similar negligence from other major retailers. This multi-state settlement included provisions requiring Target to implement specific security enhancements and submit to ongoing compliance monitoring, representing the first time a major retail data breach settlement included detailed security mandates.
The $10 Million Consumer Class Action Settlement
Separate from the state settlement, Target’s consumers received compensation through a federal class action lawsuit. In March 2015, a federal judge approved a $10 million settlement for customers whose payment card information was exposed in the breach. This settlement allowed customers who could prove they suffered direct losses—such as fraudulent charges, credit monitoring costs, or other identity theft-related expenses—to claim reimbursement of up to $10,000. The settlement was structured to compensate two categories of harm: customers who experienced actual fraud losses and those who paid for credit monitoring or identity theft protection services.
A customer who discovered $500 in unauthorized charges and spent $200 on credit monitoring could claim $700 in losses, for example. The settlement was affirmed by the Eighth Circuit Court of Appeals in June 2018, providing final legal validation. However, a significant limitation of this settlement was that the $10 million pool had to be divided among potentially millions of eligible claimants, meaning individual payments were often much smaller than requested amounts. Many consumers who filed claims found their payments reduced because the total claims exceeded the settlement fund. This created a fairness question: while Target was held accountable, individual consumers with significant losses could recover only a fraction of their actual damages.
Payment Card Company Settlements
Beyond the consumer and state settlements, Target also reached separate agreements with the payment card networks and card-issuing banks. In August 2015, Visa settled its claims against Target for $67 million, as the company had incurred fraud losses and costs related to card reissuance when fraudulent Target payments appeared on Visa networks. In December 2015, a broader settlement with banks and card issuers resulted in Target paying $39,357,939.38 to cover their fraud management and reissuance costs. These card network settlements represented a different aspect of the breach’s financial impact.
While consumers suffered direct fraud losses, the payment card systems themselves suffered significant operational costs—detecting fraudulent transactions, investigating them, issuing replacement cards, and processing chargebacks. By comparison, a major data breach at a smaller retailer might result in card network settlements of $1-5 million, illustrating how Target’s breach scale led to proportionally larger settlements across all categories. Card networks began using these settlements as leverage to demand better security standards from all retailers. The card company settlements also established a precedent: major corporations would not absorb the full cost of their security failures; they would be required to compensate the entire ecosystem of parties affected by the breach, from customers to financial institutions.
The Total Financial Cost and Its Implications
Target’s total exposure from the 2013 breach reached approximately $202 million. This figure included the $18.5 million multi-state settlement, the $10 million consumer settlement, the $67 million Visa settlement, the $39.4 million card issuer settlement, and approximately $61 million in direct costs—including credit monitoring services provided to affected customers, investigation expenses, and mandatory security improvements to comply with settlement requirements. For perspective on the severity of this cost: while $202 million is substantial, Target’s annual revenue during this period was over $70 billion, meaning the breach cost approximately 0.29% of annual revenue.
This calculation revealed an important limitation in how companies view breach costs—when calculated against profit margins rather than total revenue, the financial impact appears more significant, but many security experts argued it remained insufficient to motivate dramatic security investments across the industry. A critical warning emerged from this settlement: companies could absorb these costs through operational savings or slight margin adjustments, meaning financial penalties alone might not be the most effective deterrent. The hidden costs extended beyond monetary settlements. Target faced reputational damage, loss of customer loyalty, and the substantial operational burden of managing millions of customer replacement cards and credit monitoring enrollments.
Security Improvements and Industry Changes
Following the breach, Target implemented substantial security upgrades, particularly in its payment processing systems. The company transitioned to encrypted payment cards with chip technology (EMV), upgraded its network security infrastructure, and enhanced its vendor management processes—specifically implementing better oversight of third-party contractors with network access, addressing the HVAC vendor vulnerability that started the 2013 breach. Target’s post-breach security investments became a case study in how major incidents can drive industry-wide improvements.
The retail industry collectively accelerated its adoption of chip-enabled card readers, moving away from magnetic stripe technology that was easier to clone. Other major retailers observed Target’s settlements and breach response, recognizing that similar vulnerabilities in their own systems could trigger comparable legal exposure. The Target breach accelerated the entire sector’s investment in payment security, ultimately benefiting millions of consumers through more secure payment systems.
Long-Term Status and Current Security Outlook
As of 2026, Target has not experienced another major data breach in over 10 years following the 2013 incident. This extended period without significant security incidents suggests that the company’s post-breach investments in security infrastructure and vendor management proved effective. The absence of another major breach stands in contrast to some competitors who have experienced subsequent incidents, indicating that Target took the settlements and compliance requirements seriously.
The Target case continues to influence how retailers approach cybersecurity and vendor management today. It established that inadequate data security is not simply a business problem or technical issue—it is a legal liability with direct financial consequences. Newer breaches at other retailers are often analyzed in reference to Target, with Target’s settlement amounts serving as a baseline expectation for how much companies should pay when customer data is compromised. For consumers, the Target settlements created a legal framework that made it clearer that companies could be held accountable and that breach victims could potentially receive compensation.
Conclusion
The Target data breach lawsuit represents a watershed moment in corporate accountability for cybersecurity failures. The combination of the $18.5 million multi-state settlement, the $10 million consumer settlement, and significant payments to payment card networks established that large retailers could face over $200 million in total costs from a single data security failure.
These settlements created lasting legal and industry precedents: they demonstrated that inadequate security measures could result in substantial legal liability, they established that state attorneys general would aggressively enforce data protection laws, and they provided a framework for consumer compensation when breaches occur. If you were a Target customer during the 2013 breach and have not yet pursued compensation, you should contact the settlement administrators or consult with an attorney to understand your eligibility. While the initial settlement periods have closed for new claims, understanding how the Target settlements operated can help consumers recognize their rights in future breach situations and take timely action to protect themselves against identity theft and fraud.
Frequently Asked Questions
How much money did Target have to pay for the 2013 data breach?
Target paid approximately $202 million total, including $18.5 million to settle with 47 state attorneys general and DC, $10 million for the consumer class action settlement, $67 million to Visa, and $39.4 million to other card issuers and banks, plus approximately $61 million in direct costs.
How many customers were affected by the Target breach?
The breach exposed payment card information for 40 million customers and personal information for 70 million customers. These numbers overlap—most of the 40 million who had payment data compromised were also among the 70 million whose personal information was exposed.
Can I still file a claim if I was a Target customer during the 2013 breach?
The active settlement claim periods have closed, but you should verify the current status with the settlement administrator. If you have valid claims, consult with an attorney about your options for pursuing compensation.
What caused the Target data breach?
Hackers used stolen credentials from a third-party HVAC vendor to access Target’s network, then navigated to the point-of-sale systems where payment card data was processed. The breach exploited inadequate network segmentation and vendor access controls.
Why did Target have to pay $67 million to Visa separately?
Visa paid fraud costs and card reissuance expenses when the breach resulted in fraudulent transactions on its network. Payment card networks negotiate settlements with merchants whose breaches generate fraud losses across the network.
Has Target experienced another major data breach since 2013?
No major data breaches have been publicly reported for Target in the decade-plus since 2013, suggesting that the company’s post-breach security investments were effective.