The Securities and Exchange Commission (SEC) will not penalize Target Corp. for a cyberattack two years ago, according to the StarTribune. In the breach, which occurred during the 2013 holiday season, cyberthieves accessed point-of-sale terminals at hundreds of Target stores and siphoned off the credit card and other personal information of as many as 110 million customers.

While the government watchdog agency said it “does not intend to recommend an ­enforcement action against [Target],” the Minneapolis-based big-box retailer still faces sanctions from the Federal Trade Commission (FTC), state attorneys general and others as a consequence of the incursion and is expected to bear further expenses from settlements and penalties.

In its quarterly 10-Q filing with the SEC [PDF], Target reported it had already shelled out $264 million in cumulative expenses. Factoring in insurance recoveries of $90 million, that still leaves the retailer with net cumulative expenses of $174 million, so far.

Hundreds of lawsuits filed after the breach were consolidated into three bodies of litigation. One, composed of consumers, was settled earlier this year for $10 million. Another involving credit card companies and bank issuers was partly settled last week when Target and Visa came to an agreement for $67 million. A settlement with MasterCard for $19 million was denied at the eleventh hour by a federal judge and is being renegotiated. As well, class action lawsuits and a suit in Canada are on the docket.

Beth Jacob, the company's CIO, resigned soon after the breach, in March 2014. Gregg Steinhafel, the company's CEO, resigned two months later, after 35 years with the brand.