Advertisement
  1. Business

Target Corp. reaches $18.5 million settlement with 47 states over data breach

Forty-seven states and the District of Columbia have reached an $18.5 million settlement with Target Corp. to resolve the states' probe into the discounter's massive pre-Christmas data breach in 2013. 
[Associated Press]
Forty-seven states and the District of Columbia have reached an $18.5 million settlement with Target Corp. to resolve the states' probe into the discounter's massive pre-Christmas data breach in 2013. [Associated Press]
Published May 23, 2017

Target Corp. has agreed to pay Florida $928,963 out of a newly-announced $18.5 million settlement over a huge data breach that occurred in late 2013.

But don't expect a check in the mail if your information was affected. The money will go toward "investigative costs and fees and towards future enforcement" according to Kylie Mason, press secretary for Florida Attorney General Pam Bondi.

The deal announced Tuesday with attorneys general from 47 states and Washington, D.C., is being billed as the largest multistate data breach settlement to date.

Florida was on the executive committee for the yearslong investigation.

"This data breach jeopardized the financial information of millions of Target customers in Florida and across the nation," Bondi said in a release. "Under our multi-state settlement announced today, Target consumers are now better protected from cyberattacks."

Target had announced the breach on Dec. 19, 2013, saying it occurred between Nov. 27 and Dec. 15 of that year.

More than 41 million people's credit or debit cards were affected by the episode, which exposed customers' credit card numbers, expiration dates and CVV1 codes. Debit pins were also exposed, but they were encrypted. Additionally, 60 million Target customers' phone numbers, full names, mailing addresses and email addresses were compromised.

Attackers stole credentials from a third-party company Target contracted with and placed malware on Target's point-of-sale systems to collect the credit card information. The contact information was stolen from a separate customer service database.

As part of the settlement, Target agreed to establish an information security program, house customers' credit card data separately from other parts of its network and move to stronger password security measures such as two-factor authentication. Target will also hire a third party auditor for the new security program.

The breach forced Target to overhaul its security system and the company offered free credit reports for potentially affected shoppers. Target's sales, profit and stock price all suffered months after the disclosure as shoppers were nervous about their security of their credit cards. The breach also contributed to the departure of Target's then-CEO, chairman and president Gregg Steinhafel, who resigned in May 2014. CEO Brian Cornell took the helm in August 2014.

Target's data breach was the first in a series of scams that hit other retailers including SuperValu and Home Depot. It forced the retail industry, banks and card companies to increase security and sped the adoption of microchips into U.S. credit and debit cards.