Target has confirmed that it’s agreed to pay up to $10 million to its customers who lost credit and debit card data in a massive 2013 data breach.

As many as 4 million credit and debit cards were stolen from Target’s servers during the attack, which occurred during the thick of the holiday shopping season in 2013. Experts believe that the thieves snagged magnetic stripe data from the cards, which would allow them to re-create credit and debit cards.

The proposed settlement may mark the resolution of a large class action suit brought against Target after the breach, according to a CBS news report. The settlement, however, still must be approved by a federal court.

A federal court hearing in St. Paul, Minnesota (where Target’s headquarters is located) has been scheduled for Thursday to discuss the matter.

Thirteen lawsuits had been filed against Target by the end of 2013, seeking damages related to data lost in the breach.