AG Josh Hawley Joins $18.5M Settlement with Target Corporation over 2013 Data Breach

May 23, 2017, 10:53 AM
May 23, 2017, 10:51 AM

Jefferson City, Mo. – Attorney General Josh Hawley today announced that the Office of the Missouri Attorney General has joined with 46 other states and the District of Columbia in an $18.5 million settlement with the Target Corporation to resolve the states’ investigation into the retail company’s 2013 data breach. The settlement represents the largest multistate data breach settlement to date.

The states’ investigation, led by Connecticut and Illinois, found that, on or about November 12, 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database. The attackers were able to install malware on the system and to capture data, including consumer data comprised of full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. 

The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.  

“It is important to Missouri consumers and to this Office that those entities doing business with Missouri consumers take adequate steps to protect the data of consumers. My Office will continue to work to protect consumers when their personal information is compromised in violation of the law.”

In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.

The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts. 

Missouri will receive $302,746.77 from the settlement. 

In addition to Missouri, and led by the Connecticut and Illinois, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.


2018 Archives 2018

2017 Archives 2017