Retail Data Breach Settlements 2026 — Stores, Hotels & Shopping

1. Check your shopping history against open retail breaches

   Look at the settlement list above and think back: Did you shop at Target during the 2013 holidays? Stay at a Starwood hotel before 2018? Shop at Home Depot in 2014? Each yes is a potential claim.
2. Click "Check Eligibility" on the settlement card

   The link goes directly to the official settlement administrator. Filing retail breach claims is always free.
3. Enter your information (2–4 minutes)

   Basic claims require your name, address, and a rough confirmation of your visit dates. No receipts, no loyalty program account numbers, no proof of harm.
4. File across multiple retail breaches

   If you shopped at multiple affected retailers, file each claim separately. Every filing is its own payout.
5. Receive payment in 12–18 months

   Retail settlements typically distribute payment by check or digital payment within 12–18 months of the filing deadline.

How Retail Data Breaches Happen

Most major retail data breaches follow a predictable pattern: hackers infiltrate a retailer's network through a third-party vendor (often an HVAC, billing, or IT company with access to internal systems), install malware on point-of-sale (POS) terminals, and silently collect credit and debit card data for weeks or months before detection. The Target 2013 breach — the watershed moment for retail cybersecurity — was accessed through Target's HVAC vendor, Fazio Mechanical. The attackers spent 76 days inside Target's network before the malware was discovered. By then, 40 million payment cards and 70 million records of personal data had been stolen. The Home Depot breach used similar malware, collecting card data from self-checkout terminals over a five-month period. The Marriott/Starwood breach ran undetected for four years. Retailers have known how to prevent these attacks for over a decade — through end-to-end encryption, EMV chip reader requirements, network segmentation, and vendor access controls. When they choose not to implement these protections and customers are harmed, class actions provide accountability.

Major Retail and Hospitality Breaches

• Target (2013): 40 million payment cards and 70 million customer records stolen during the holiday shopping season. Settlement: $10 million class action, $18.5 million multi-state attorney general settlement. Triggered the nationwide shift to EMV chip cards.
• Home Depot (2014): 56 million payment cards stolen from self-checkout terminals over five months. Settlement: $25+ million. The largest retail card breach at the time.
• Marriott / Starwood (2018): 500 million guest records exposed from the Starwood reservation system — the breach had run undetected since 2014. Passport numbers, payment cards, and 4+ years of travel history compromised. Settlement: $52 million.
• TJ Maxx / Marshalls (2007): 90 million credit and debit card numbers stolen over 18 months. The first major retail card data breach, establishing the class action template used by all subsequent cases.
• Neiman Marcus (2013–2014): 1.1 million payment cards compromised over a seven-month period. Settlement reached after years of litigation.
• Barnes & Noble (2012): PIN pad tampering in 63 stores across nine states. Customers had card numbers, expiration dates, and PINs stolen.

Hotel Loyalty Program Data and What Gets Exposed

Hotel breaches are particularly damaging because loyalty programs accumulate years of personal data. When Marriott announced the Starwood breach in 2018, affected guests hadn't just lost their credit card numbers — they'd lost everything their loyalty profile contained:

• Passport numbers (encrypted, but some with decryption keys also stolen)
• Arrival and departure dates across potentially hundreds of stays
• Payment card numbers including expiration dates
• Email addresses, phone numbers, and home addresses
• Loyalty account numbers, point balances, and account PINs
• Date of birth and gender

For frequent business travelers, this creates an almost complete intelligence profile going back years. The $52 million Marriott settlement acknowledges this severity with higher per-person payouts for guests who can document sensitive data exposure.

When to Expect Your Retail Settlement Payment

Retail settlement payments follow a predictable timeline:

• Filing deadline closes: The claim administrator stops accepting submissions
• Claims review (3–6 months): Administrator verifies submitted claims against eligibility criteria
• Court final approval hearing: Judge approves final settlement terms (often 6–12 months after deadline)
• Payment distribution (1–3 months later): Checks mailed or digital payments issued

Total timeline from filing deadline to payment: typically 12–18 months. SettlementRadar tracks this timeline for every case and sends updates to subscribers when payment distribution begins.