Eddie Bauer retail store. Eddie Bauer retail store. (Source: Shutterstock)

Three years after it reported a data breach that compromised customer data at its stores, retailer Eddie Bauer may end up paying about $10 million in a proposed settlement with Waterloo, Iowa-based Veridian Credit Union and other affected financial institutions, according to court documents.

Under the settlement agreement, which still awaits court approval, the retailer would pay up to $2.8 million for claims related to compromised cards. It would also pay up to $2 million for settlement administration and attorneys’ fees, as well as $5 million in injunctive relief, which includes the cost of implementing and maintaining an information security program that complies with Payment Card Industry Data Security Standard.

“Eddie Bauer denies all material allegations of the complaint,” the proposed agreement noted. “Eddie Bauer specifically disputes that it is liable in any way for the third-party criminal cyber-attack and that plaintiff and putative class members are entitled to any relief from Eddie Bauer. Nevertheless, given the risks, uncertainties, burden and expense of continued litigation, which is in addition to assessments from payment card brands, Eddie Bauer has agreed to settle the litigation on the terms as set forth in this settlement, subject to court approval.”

According to Veridian’s original complaint, which it filed on March 7, 2017, hackers accessed Eddie Bauer’s point-of-sale systems and installed malware that stole customer data between January 2, 2016, and July 17, 2016. The breach compromised names, credit and debit card numbers, card expiration dates, card verification values (CVVs) and other information at approximately 350 of its locations, Veridian said.

Veridian has $4.3 billion in assets and about 230,000 members. Eddie Bauer is based in Bellevue, Washington and operates about 370 stores in the United States and Canada.

Veridian also alleged that Eddie Bauer failed to implement adequate security measures and best practices, maintain an adequate firewall and notify customers promptly, among other things. That made the breach a foreseeable event, it argued.

In the proposed settlement agreement, Eddie Bauer would agree to maintain properly configured firewalls to protect cardholder data, as well as avoid vendor-supplied default passwords, continue various encryption and access-restriction efforts, and continue to test and track certain systems and processes.

Credit unions and other financial institutions would receive up to $2 per affected card. Under the pending agreement, Eddie Bauer would pay at least $1 million and no more than $2.8 million in total on those claims.