(Bloomberg) – Target Corp. agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen.
It's the largest multistate accord ever reached over a data breach, according to New York Attorney General Eric Schneiderman. The hack, which occurred during the busy holiday shopping season in late 2013, affected more than 41 million customer payment-card accounts and exposed contact information of more than 60 million customers.
The settlement resolves investigations led by Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan which found that in November 2013 hackers accessed Target's gateway server through a third-party vendor, then used the information to exploit weaknesses in the retailer's system.
|Hacker accessed database & installed malware
The hackers accessed a customer service database and installed malware on Target's system that captured consumer data, including names, telephone numbers, email and mailing addresses as well as payment card numbers with their expiration dates and encrypted debit card personal identification numbers.
"Millions of consumers in Connecticut and across the country were impacted by this data breach and by what we believe, through our multistate investigation, were Target's inadequate security protocols," Jepsen said. "Through this settlement, we are assuring that Target improves its data protections."
|Security program requirement
The agreement requires Target to develop and maintain a comprehensive information-security program and to employ an executive who is responsible for implementing the changes, Schneiderman said. The company must also hire an independent, qualified monitor to conduct a comprehensive security assessment, Jepsen said.
Target is also required to maintain and support software and keep appropriate encryption policies regarding cardholder and personal data and segment that information from the rest of its computer network, according to the accord.
"This settlement marks an important win for New Yorkers — bringing in over $635,000 into the state, in addition to the free credit-monitoring services for those impacted by the data breach," Schneiderman said Tuesday.
Target in 2015 separately agreed to pay $10 million to settle claims by customers who said they were affected by the data breach, one of the largest to hobble retailers and banks in recent years.
Erin Conroy, a spokeswoman for Target, didn't immediately return email or voice-mail messages left at her office seeking comment.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
