Target to Pay $18.5 Million to States in Data Breach Settlement
Target Corp. has agreed to pay $18.5 million in a settlement with 47 states and the District of Columbia that stems from a November 2013 data breach of the Minneapolis-based retailer. The breach affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers.
The agreement represents the largest multistate data breach settlement, according to a May 23 announcement by Connecticut Attorney General George Jepsen. The states’ investigation was led by Jepsen and Illinois Attorney General Lisa Madigan.
The investigation determined that hackers accessed Target’s server using credentials stolen from a third-party vendor. The credentials enabled the hackers to access a customer service database, install malware on the system and collect customers’ full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, credit card verification codes and encrypted debit PINs.
In addition to the monetary settlement, which will be shared among the states, Target has agreed to implement and maintain an information security program and hire an officer responsible for executing the plan; hire an independent third-party company to conduct a security assessment; maintain software on its network for data security purposes; employ encryption policies, particularly as they pertain to cardholder and personal information data; and separate cardholder data from the rest of its computer network; and take steps to control access to its network, including implementing password-rotation policies and two-factor authentication.
In addition to Connecticut and Illinois, states participating in the settlement include: Alaska, Arizona, Arkansas, California, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, New York, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia and the District of Columbia.
The breach has proved costly for Target, which also settled various lawsuits with banks, Mastercard, Visa and consumers for a total of $68.3 million.