Target Corp said it has reached an agreement with Visa Inc card issuers to reimburse up to $67 million in costs related to a data breach at the retailer in 2013, according to a source familiar with the matter.

The breach during the holiday shopping season compromised at least 40 million credit cards and may have resulted in the theft of personal information from as many as 110 million people.

The agreement comes three months after a proposed $19 million settlement between Target and Mastercard Inc fell through as not enough banks accepted the deal.

A lawyer representing banks that are suing Target said financial institutions should not accept the “optional alternative recovery offer” as that requires them to release the retailer from a class action lawsuit.

“Just as with the proposed MasterCard settlement…this deal was negotiated under a veil of secrecy without the involvement of the court or the court-appointed legal representatives of financial institutions,” Charles Zimmerman of Zimmerman Reed said.

The Mastercard deal required the approval of banks that issued at least 90 percent of the MasterCard accounts.

“(The agreement with Visa) fails to fully reimburse card issuers for the substantial losses suffered from the Target data breach,” Zimmerman said in an email on Tuesday.

Financial institutions have sued Target, saying they have spent billions of dollars to replace compromised cards and beef up customer service operations because of the data breach.

Target said on Tuesday the agreement with Visa was based on a condition that a subset of Visa card issuers entered into direct settlements with Target and Visa.

Target’s breach was followed by an attack on Home Depot Inc which revealed theft of some 56 million payment cards in September last year.

More recently, office supplies retailer Staples Inc said about 1.16 million payments may have been affected by a data breach it had announced in October.

The Wall Street Journal reported the agreement between Target and Visa earlier in the day, citing people familiar with the matter.

Target had incurred $162 million in net expenses related to the breach as of Jan. 31. (Reporting by Yashaswini Swamynathan and Sudarshan Varadhan in Bengaluru; Editing by Don Sebastian)

Topics Cyber