CUToday.info was first to report, Target and MasterCard have reached an agreement to reimburse financial institutions for costs associated with the massive 2013 data breach.
Now, terms of that agreement have been announced—a final figure of $19 million.
Reports indicate that reimbursed funds will be distributed by MasterCard to the financial institutions that issue credit cards and debit cards under its brand, including Citigroup Inc., Capital One Financial and J.P. Morgan Chase, reports said. The settlement does not include banks or CUs that issue under the Visa brand. Target is negotiating separately with Visa.
NAFCU President and CEO Dan Berger said the trade association was hoping for a larger settlement figure.
“NAFCU has been in regular contact with MasterCard and VISA on data breaches as well as other payment issues,” said Berger in a release. “While we appreciate that the settlement attempts to hold Target somewhat accountable, we were hoping it would be more than just pennies on the dollar. We believe that this demonstrates the reason why Congress must act to protect consumers’ financial information by enacting stronger standards and holding retailers and merchants directly accountable for their data breaches.”
CUNA President/CEO Jim Nussle said the settlement was overdue.
“It's been 16 months since the Target breach became public and only now are credit unions seeing light at the end of the tunnel,” said Nussle in a release. “We appreciate MasterCard taking this first step, but the fact remains that the underlying vulnerabilities that allowed this breach and others to occur in the first place have not been addressed: merchants that accept cards for payment are not held to the same data security standards as credit unions and banks that issue cards. The weak link in the payment system must be addressed. Senators Tom Carper and Roy Blunt introduced legislation to stop merchant data breaches by imposing strong security standards on those that accept cards for payment and I’m hopeful Congress will act to protect American consumers from future identity theft and fraud caused by data breaches.”
Target has also proposed paying customers affected by its 2013 data breach as much as $10,000 in damages.