Target to pay $18.5 million nationally, including $229,000 to Iowa, and must implement significant new cyber security safeguards
DES MOINES – Minneapolis-based Target Corporation has agreed to an $18.5 million settlement with 47 state attorneys general, including Attorney General Tom Miller, over the retail giant’s massive data breach in 2013.
The breach—one of the largest in U.S. history—affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
The settlement, through an assurance of voluntary compliance, includes a $229,000 payment to Iowa and requires significant new corporate network security safeguards. It represents the largest multistate data breach settlement to date.
“The Target data breach was particularly deep and wide, and affected a staggering number of consumers across Iowa and across the country,” Miller said. “Cyber attackers who scoop up this type of digital information jeopardize their victims’ financial health, and companies that store our personal information simply must do everything they reasonably can to protect it.”
The states' investigation, led by Connecticut and Illinois, found that, on or about November 12, 2013, cyber attackers accessed Target's computer network gateway server through login credentials stolen from a third-party vendor. The criminal hackers used the stolen credentials to exploit weaknesses in Target's system.
The attackers accessed a customer service database, installed malware and captured data at point-of-sale terminals in more than 1,700 stores. The compromised consumer data included full names, telephone numbers, email addresses and mailing addresses, payment card numbers, expiration dates and 3-digit card verification value (CVV)/card security code (CSC) numbers; and encrypted debit personal identification numbers (PINs).
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
Through the settlement, Target is also required to:
- Maintain and support software on its network
- Maintain appropriate encryption policies—particularly as it pertains to cardholder and personal information data
- Segment its cardholder data environment from the rest of its computer network
- Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts
“This settlement requires more than a payment for Target. Significantly, it requires the retailer to take extra steps to try to ensure something of this magnitude never happens again,” Miller said. “I hope Target learns from this and other companies that store our personal data learn from it, too.”
Iowa’s share of the settlement will go to the state’s consumer education and litigation fund.
Shortly after acknowledging the breach, Target offered affected consumers one year of free credit monitoring. The company also pledged that customers would not be liable for any fraudulent charges arising from financial information that had been compromised through the breach.