As part of a settlement over a massive security breach that endangered the data of millions of customers, Target is paying 47 states and the District of Columbia $18.5 million.

This settlement concludes an investigation that lasted years, looking into how hackers got the credit card numbers and correlating names of tens of millions of people in 2013.

California alone will receive $1.4 million while New York gets $635,000 according to New York Attorney General Eric Schneiderman. Based on population size from state to state, state attorneys general fought for a fair settlement that would extend to all of them.

Target said in a statement issued that it was "pleased" to finally resolve the matter. Target has spent $202 million just in legal fees since this battle first began, not to mention additional costs that also came in the aftermath of the breach according to their last annual statement.

Connecticut and Illinois attorneys general led the investigation and determined that credentials were pilfered from a third-party vendor that the hackers were able to use to gain access to a customer database. Upon infiltration, the hackers deployed malware to capture as much data as possible.

The settlement also involves Target being obligated to measurably heighten IT security, and this means encryption to safeguard information. Target also has to separate cardholder data from its computer network and contract a third-party, cyber-security firm to assess the security measures according to their announcement Tuesday.