Target Corporation has entered into an $18.5 million settlement with 47 states over the massive data breach that occurred before the holidays in 2013. Iowa Attorney General, Tom Miller, says that the Minneapolis-based company’s voluntary compliance settlement includes a $229,000 payment to Iowa as well requiring significant new security safeguards. Miller says this is the largest multi-state data breach settlement to date, and that the depth and width of the cyber-attack affected a “staggering number” of consumers across the country. “This settlement requires more than a payment for Target,” Miller says. “It requires the retailer to take extra steps to try to ensure something of this magnitude never happens again.” Target is required to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. They will also hire an independent, qualified third-party to conduct a comprehensive security assessment. On Nov. 12, 2013, cyber attackers accessed Target’s computer network gateway server through login credentials stolen from a third-party vendor. The criminals then used the stolen credentials to exploit weaknesses in Target’s system and were able to install malware and capture point-of-sale data at terminals in more than 1,700 stores. Compromised data included names, telephone numbers, mailing addresses, expiration dates and three-digit card verification values (CVV)/card security codes (CSC) numbers and encrypted debit personal identification numbers (PINs).
