Taking another step to put a massive data breach in 2013 behind it, Target has agreed to pay $18.5 million to 47 states and the District of Columbia.
The settlement resolves the states’ investigation into the breach, which affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Only Alabama, Wisconsin and Wyoming are not part of the largest ever multistate data breach settlement.
Target also agreed to employ an executive to manage a “comprehensive information security program” as well as advise its chief executive and board.
California will receive $1.4 million from the settlement, the most of any state. “Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security,” California Attorney General Xavier Becerra said in a news release.
“This should send a strong message to other companies: You are responsible for protecting your customers’ personal information,” he added.
The states’ investigation found that in November of 2013, hackers accessed Target’s gateway server through credentials stolen from a third-party vendor and then exploited flaws in its computer system to install malware that captured consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs.
Target said it was “pleased to bring this issue to a resolution for everyone involved,” adding that the costs associated with the settlement were “already reflected in the data breach liability reserves that Target has previously recognized and disclosed.”
The retailer has estimated the total cost of the breach at $202 million. In other settlements, it paid up to $67 million to Visa, $19 million to Mastercard, and $39 million to financial institutions. A proposed $10 million settlement of a consumer class action is awaiting court approval.
The latest settlement also requires Target to separate its cardholder data from the rest of its computer network and take steps to control access to the network, including implementing password rotation policies and two-factor authentication for certain accounts.
