A federal judge in St. Paul on Tuesday granted class-action status to financial institutions suing Target Corp. for damages related to the 2013 cyberattack on its data system.
The decision may force Target to pay more than it previously estimated to banks that want the retailer to pay their costs for when consumers sought new credit cards after the breach.
Hackers in late 2013 accessed Target’s point-of-sale system and obtained the credit card data of at least 40 million Target customers over a three-week period, one of the largest corporate data breaches. For months after, Target customers asked banks and other credit-card issuers to replace the cards that may have been compromised.
Target last month reached an agreement to pay $67 million to issuers of Visa cards for breach-related costs. A group of bank plaintiffs represented by Minneapolis attorney Charles Zimmerman continued to press for more, however, and last week made preliminary arguments before U.S. District Judge Paul Magnuson in St. Paul.
Magnuson certified those plaintiffs as a class, giving them more leverage in negotiations with Target or in a potential trial.
“We will provide notice to financial institutions that are now members of this class, and look forward to obtaining proper compensation for the losses they suffered from the Target breach,” Zimmerman said in a statement.
A Target spokeswoman said the company was disappointed in the ruling and will consider its next steps after executives have reviewed it.
The company last month estimated it has incurred $264 million in breach-related costs, including funds it has set aside to cover litigation. Insurance has covered about $90 million.
The National Association of Federal Credit Unions issued a statement praising the ruling and repeating its view that credit unions need to be fully paid for their costs related to the breach.