Retail giant Target will pay an $18.5 million multi-state settlement, the largest ever for a data breach, to resolve state investigations of the 2013 cyber attack that affected more than 41 million of the company's customer payment card accounts.
Announced Tuesday by 47 states and the District of Columbia, the agreement sets new industry standards for companies that process payment cards and maintain confidential information about their customers.
Target confirms massive credit-card data breach
The states' investigation of the breach determined that cyber-attackers gained access to Target's computer gateway served through credentials stolen from a third-party vendor in Nov. 2013. Using the credentials to exploit weaknesses in Target's system, the attackers gained access to a customer service database, installed malware on the system and captured full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data.
Along with affecting 41 million customer payment card accounts, the breach affected contact information for more than 60 million Target customers.
"Companies across sectors should be taking their data security policies and procedures seriously. Not doing so potentially exposes sensitive client and consumer information to hackers," said a statement issued by Connecticut Attorney General George Jepsen, who led the investigation along with Illinois counterpart Lisa Madigan.
Target: Data stolen from up to 70 million customers
Target previously provided free credit monitoring services for consumers affected by the breach. As part of a $10 million class-action lawsuit settlement reached in 2015, the company also agreed to pay up to $10,000 to consumers with evidence they suffered losses from the data breach.
Few Target victims to benefit from settlement
Tuesday, the company said it had worked with the state investigators to address claims related to the embarrassing episode.
"We're pleased to bring this issue to a resolution for everyone involved," the Minneapolis-based company said in a written statement. Costs of the settlement are already reflected in liability reserves that Target has previously disclosed, the company added.
Terms of the agreement require Target to:
Develop, implement and maintain a comprehensive information security program
Employ an executive or officer responsible for executing the program
Hire an independent expert to conduct a security assessment
Maintain and support data security software on the company's network
Segregate the cardholder data from the rest of the network
Take steps to control network access, including password rotation policies and two-factor authentication.
As part of the settlement, the states will use their respective shares of the Target payment for attorney fees and other investigation costs, as well as consumer protection law enforcement funds, consumer education or other purposes.