Target Corp. agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen.

It’s the largest multistate accord ever reached over a data breach, according to New York Attorney General Eric Schneiderman. The hack, which occurred during the busy holiday shopping season in late 2013, affected more than 41 million customer payment-card accounts and exposed contact information of more than 60 million customers.

The settlement resolves investigations led by Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan which found that in November 2013 hackers accessed Target’s gateway server through a third-party vendor, then used the information to exploit weaknesses in the retailer’s system.

The hackers accessed a customer service database and installed malware on Target’s system that captured consumer data, including names, telephone numbers, email and mailing addresses as well as payment card numbers with their expiration dates and encrypted debit card personal identification numbers.

“Millions of consumers in Connecticut and across the country were impacted by this data breach and by what we believe, through our multistate investigation, were Target’s inadequate security protocols,” Jepsen said. “Through this settlement, we are assuring that Target improves its data protections.”

Security Program

The agreement requires Target to develop and maintain a comprehensive information-security program and to employ an executive who is responsible for implementing the changes, Schneiderman said. The company must also hire an independent, qualified monitor to conduct a comprehensive security assessment, Jepsen said.

Target is also required to maintain and support software and keep appropriate encryption policies regarding cardholder and personal data and segment that information from the rest of its computer network, according to the accord.

Target said it’s pleased to bring the issue to a resolution.

“The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed,” Jenna Reck, a spokeswoman for Target, said in an emailed statement.

Target in 2015 separately agreed to pay $10 million to settle claims by customers who said they were affected by the data breach, one of the largest to hobble retailers and banks in recent years.