Target has reached another settlement of claims related to a massive data breach, agreeing to pay $39.4 million to MasterCard and other U.S. financial institutions.
The breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. Target was sued by banks and card issuers seeking to hold the retailer liable for the costs of reimbursing fraudulent charges and issuing new credit and debit cards.
Trade groups representing banks and credit unions have estimated that their members incurred more than $200 million of expenses related to the breach.
Under the terms of the settlement disclosed Wednesday, the retailer will pay as much as $20.25 million to banks and credit unions, and $19.11 million to reimburse MasterCard card issuers.
“Financial institutions should not always have to bear the burden of extensive costs related to merchant data breaches over which they have no control,” plaintiffs’ lawyers Charles Zimmerman and Karl Cambronne said in a joint statement.
Earlier this year, Target agreed to pay Visa card issuers as much as $67 million over the breach and reached a $10 million settlement with shoppers. It still faces shareholder lawsuits, as well as investigations by the Federal Trade Commission and state attorneys general.
A previous $19 million deal between Target and MasterCard fell apart after failing to get enough support from the affected banks and credit unions. Approval by 90% of the issuers was necessary for the offer to go into effect.
The data breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards. For its part, Target overhauled some of its divisions that handle security and technology.
The company has said it has spent $290 million related to the breach, and expects insurers to reimburse $90 million.