Target Corporation agreed to an $18.5 million settlement in a multistate investigation into a data breach that affected more than 41 million customers’ payment card accounts and another 60 million customers’ contact information in 2013.
The investigation found that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed cyber attackers to access a customer service database and install malware and capture customer’s personal and banking information, according to Texas Attorney General Ken Paxton’s office.
Paxton announced the settlement on Tuesday, which is the largest settlement amount related to a data breach achieved by a multi-state group.
“Cyber threats and identify theft are of increasing concern to Texas consumers,” Paxton said in a prepared statement. “Today’s settlement underscores that in the 21st Century, a business that obtains consumer’s personal information must be proactive in maintaining reasonable safeguards to protect the information.”
Aside from the financial settlement, Target is also required to develop, implement and maintain a comprehensive information security program, according to the settlement. The retailer must also hire an executive officer to oversee the program and hire an independent third-party to conduct comprehensive security assessments. Target must also maintain encryption policies particularly pertaining to cardholder and personal information data. The company must also have its cardholder data segmented from the rest of its computer network.
Forty-seven states and the District of Columbia participated in the investigation and the settlement.