On May 23, 2017, Target Corp. reached a settlement with 47 states and the District of Columbia, agreeing to pay $18.5 million to resolve the states’ investigation into Target’s 2013 customer data breach. The resolution represents the largest multistate data breach settlement to date.
In December 2013, Target announced that it had suffered a data breach affecting more than 41 million customer payment card accounts and personal information for over 60 million customers. Cyber-attackers accessed Target’s customer service database and installed malware that captured shoppers’ data over a period of 19 days in November and December 2013. According to the announcements from various states’ authorities, the breach exposed customers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification data, and encrypted debit PINs. Illinois Attorney General Lisa Madigan stated that the hackers gained access by using credentials stolen from a third-party HVAC vendor and exploiting weaknesses in Target’s security system.
Madigan and Connecticut Attorney General George Jepsen led the investigation into the breach, in conjunction with 45 attorneys general from other states as well as Washington, D.C. While their findings are confidential, they apparently found that the data was inadequately secured: In addition to the multi-million dollar financial penalty, the settlement requires Target to encrypt and segment its customer payment card data from the rest of its computer network and to implement strengthened security features to control access to its network, such as password rotation policies and two-factor authentication for individual, administrator, and vendor accounts. Target will also be required to hire an independent third party to conduct a comprehensive security assessment within a year of the settlement date and hire an executive or other officer to implement and maintain a comprehensive information security plan at the company.
The settlement with Target “establishes industry standards for companies that process payment cards and maintain secure information about their customers,” Madigan said in a statement. “People must remain vigilant about activity on their credit and debit cards as it’s not a matter of if but when you are going to be a victim of identity theft or a security breach.”
The states’ settlement of $18.5 million follows over $100 million in agreed payments by Target to settle with payment card companies and financial institutions that alleged financial losses and other damages as a result of the retailer’s breach. A consumer class action settlement of $10 million is also in the process of being considered for final approval in multi-district civil litigation.