Target Corp. will pay $18.5 million to 47 states and the District of Columbia as part of a settlement over a 2013 data breach, Reuters reported May 23.
The attorneys general of Illinois and Connecticut led the probe into the breach at the retailer, which affected up to 40 million credit and debit cards across the U.S.
California will reportedly receive the largest share of the settlement, with more than $1.4 million.
The settlement also calls for Target to have an executive overseeing information security, and to hire a third party to carry out a security assessment and encrypt card information.
Target spokeswoman Jenna Reck told Reuters that the company is still waiting to finalize a consumer settlement. Previously, the company paid Visa Inc. up to $67 million in 2015, and also settled a class action for more than $20 million.
Target said it has incurred a total cost of $202 million from the breach, according to the report.