Target will pay a total of $18.5 million to 47 states and the District of Columbia as part of an agreement with the state attorneys general. Target has shelled out $202 million on legal fees and other costs since the 2013 security breach. The settlement also mandates that Target implement specific security controls and a governance framework around cybersecurity, and follow certain audit and reporting guidelines. Attackers stole 40 million credit card numbers, as well as their cardholders’ names, expiration dates, and CVV codes.”]