Attorney General Ken Paxton today announced an $18.5 million settlement with the Target Corporation to resolve a multistate investigation into the retail company’s 2013 data breach. The breach affected more than 41 million customer payment card accounts, along with contact information for more than 60 million customers. To date the settlement amount is the largest related to a data breach achieved by a multistate group.
The states’ investigation found that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor around November 12, 2013. The credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and capture consumer’s personal information and banking information.
“Cyber threats and identity theft are of increasing concern to Texas consumers,” Attorney General Paxton said. “Today’s settlement underscores that in the 21st century, a business that obtains consumers’ personal information must be proactive in maintaining reasonable safeguards to protect that information.”
In addition to the financial terms, the settlement requires Target to develop, implement and maintain a comprehensive information security program and hire an executive officer to oversee the program. The company must also hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-step authentication for certain accounts.
Texas along with 46 other states and the District of Columbia participated in the investigation and settlement.