when it admitted the details of at least 45m credit and debit cards used in its stores had been stolen over an 18-month period from its offices in the UK, US, Puerto Rico and Canada.
The company settled several class action lawsuits in September and has now settled with the US Federal Trade Commission after agreeing to submit to biennial security audits over the next 20 years and establish a comprehensive information security programme.
The FTC does not have the authority to levy civil fines, although it has asked Congress for such authority since 2005. It has brought 20 complaints against companies that have had data breaches.
Deborah Platt Majoras, chairman of the FTC, said: "By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure."
The FTC has also reached a similar settlement with Reed Elsevier and its Seisint subsidiary, which admitted that hackers had stolen the names, addresses and social security numbers of its customers.