The proposal, which requires U.S. federal court approval, calls for individual victims to receive up to $10,000. As many as 110 million people were affected by the attack, which occurred during the holiday shopping season.
The proposed settlement includes measures to better protect the customer data that Target collects, according to documents filed with the U.S. District Court, District of Minnesota. Target must develop and test a security program for protecting consumer data and implement a process of monitoring and identifying security threats. The company must also provide its employees with security training around keeping consumer data safe. After the settlement's approval, Target would have five years to implement these measures.
Target has already complied with one of the requirements: it named a chief information security office in June 2014.
Target will alert impacted customers through email and mail in addition to advertising on Facebook and certain magazines and websites. A website and hot line will also be set up for people to obtain information about the settlement.
Target initially said in December 2013 that a data breach that lasted from late November to mid-December compromised 40 million credit and debit card accounts. However, in January, Target reported that an additional 70 million people were impacted by the attack. Hackers used stolen credentials from a contractor to access Target's systems and to upload point-of-sale malware that captured payment data. Attackers made off with people's names, email addresses, mailing addresses and phone numbers in addition to payment information.
Target's CIO and CEO resigned last year over the breach. To shore up its security systems, Target is rolling out chip-enabled branded credit cards. These cards are equipped with microprocessors that encrypt payment details as they're exchanged with a store's payment terminal.
A court hearing on the proposed settlement is scheduled for Thursday, according to news reports.