Retailer Target Corp reached an $18.5 million settlement with 47 states and the District of Columbia over a massive data breach in late 2013.
The investigation — led by the Attorneys General of Connecticut and Illinois — found that cyber attackers had accessed Target’s gateway server through credentials stolen from a third-party vendor, NY Attorney General Eric Schneiderman said in a statement on Tuesday.
In one of the biggest data breaches to hit U.S. retailers, Target had reported that hackers had stolen data from up to 40 million credit and debit cards of shoppers who had visited its stores during the 2013 holiday season.
California will receive more than $1.4 million from the settlement, the largest share of any state, California Attorney General Xavier Becerra said.
Get Data Sheet, Fortune’s technology newsletter.
The costs associated with the settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed, the company said in a statement.
For more about Target, watch:
Target also said the total cost of the data breach had been $202 million.
As part of the settlement announced on Tuesday, Target is required to adopt advanced measures to secure customer information such as employing an executive to oversee a comprehensive information security program as well as advise its chief executive and board.
The company is also required to hire a qualified third-party to conduct a comprehensive security assessment and encrypt or otherwise protect card information to make it useless if stolen.