(Bloomberg) – Target Corp. agreed to pay $18.5 millionto settle investigations by dozens of states over a 2013 hack ofits database in which the personal information of millions ofcustomers was stolen.

It's the largest multistate accord ever reached over adata breach, according to New York AttorneyGeneral Eric Schneiderman. The hack, which occurred during the busyholiday shopping season in late 2013, affected more than 41 millioncustomer payment-card accounts and exposed contact information ofmore than 60 million customers. 

Related: Here are 25 tips to both prevent and manage a cyberattack

The settlement resolves investigations led byConnecticut Attorney General George Jepsen and Illinois AttorneyGeneral Lisa Madigan which found that in November 2013 hackersaccessed Target's gateway server through a third-party vendor, thenused the information to exploit weaknesses in the retailer'ssystem.

Hacker accessed database & installed malware

The hackers accessed a customer service database and installedmalware on Target's system that captured consumer data, includingnames, telephone numbers, email and mailing addresses as well aspayment card numbers with their expiration dates and encrypteddebit card personal identification numbers.

"Millions of consumers in Connecticut and across the countrywere impacted by this data breach and by what we believe, throughour multistate investigation, were Target's inadequate securityprotocols," Jepsen said. "Through this settlement, we are assuringthat Target improves its data protections."

Security program requirement

The agreement requires Target to develop and maintain a comprehensiveinformation-security program and to employ an executive who isresponsible for implementing the changes, Schneiderman said. Thecompany must also hire an independent, qualified monitor to conducta comprehensive security assessment, Jepsen said. 

Target is also required to maintain and support software andkeep appropriate encryption policies regarding cardholder andpersonal data and segment that information from the rest of itscomputer network, according to the accord.

Related: Clients considering cyberinsurance? Here's whatthey need to know

"This settlement marks an important win for New Yorkers— bringing in over $635,000 into the state, in addition tothe free credit-monitoring services for those impacted by the databreach," Schneiderman said Tuesday.

Target in 2015 separately agreed to pay $10 million to settleclaims by customers who said they were affected by the databreach, one of the largest to hobble retailers and banks in recentyears.

Erin Conroy, a spokeswoman for Target, didn't immediately returnemail or voice-mail messages left at her office seekingcomment.