A settlement amounting to $18.5 million will be paid by Target over a data breach that occurred in 2013. Over 41 million of Target’s payment card accounts were affected in the data breach. The settlement was reached with 47 states plus the District of Columbia.
According to Eric Schneiderman, the attorney general of New York, the amount Target has agreed to pay in order to settle investigations is the largest ever for a data breach. The data breach which happened in the course of the holiday shopping season not only ended up with payment card account information of 41 million customers stolen but also led to contact information of over 60 million customers exposed. The investigations were led by the attorney general of Illinois, Lisa Madigan and the attorney general of Connecticut, George Jepsen.
To access the gateway server of Target, the hackers used a 3rd-party vendor and they then used that information to exploit system weaknesses. Once the hackers had accessed the database of a customer, they installed malware on the systems of Target in order to capture such consumer data as mailing addresses, email addresses, telephone number and names. The hackers were also able to capture not only payment card numbers but also their expiration dates as well as the encrypted debit card PIN numbers.
Following the settlement Target is now required to undertake the development and maintenance of a comprehensive program for information security. It will also be required to hire an executive who will be charged with the responsibility of implementing the changes. Additionally, the retail giant must also recruit a qualified and independent monitor who will run an elaborate and comprehensive security assessment.
Data security software
Target will also have to support and maintain on the company’s network data security software as well as take steps to ensure that network access is controlled. Cardholder data will also be required to be segregated from the company-wide network.
Proceeds from the settlement will be used by the states to pay for their legal fees as well as cater for investigation costs. The proceeds of the settlement will also be used in consumer education and in law enforcement funds for consumer protection. According to Target the cost of the settlement had already been recognized and disclosed.
“The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed,” said Target’s spokesperson, Jenna Reck, in a statement.