Target Will Pay $18.5M To 47 States To Close Investigations Into 2013 Data Breach

Image courtesy of Mike Mozart

Just like those embarrassing Facebook photos of you with your ill-advised “Macklemore” hairdo, Target’s massive 2013 data breach continues to haunt the retailer. Today, the company reached an agreement to pay $18.5 million to close the book on investigations by 47 states (and D.C.) into the month-long attack that exposed information for more than 60 million payment card accounts.

The attorneys general for Illinois and Connecticut led the multi-state investigation into the Target breach, which began in mid-November 2013 and lasted for a full month, including the busy Black Friday holiday shopping weekend.

Target’s payment card system was infiltrated via credentials stolen from a third-party heating and air-conditioning contractor for the retailer. In all, more than 41 million people had their card information stolen. Since many customers used multiple payment cards to make purchases at Target, the total number of compromised accounts was north of 60 million.

The $18.5 million will be divvied up among the many states participating in the action.

Beyond the financial portion of the settlement, Target has agreed to develop and maintain a comprehensive information security program, with a single executive tasked with overseeing this plan. The retailer must also obtain a comprehensive security assessment from an independent, qualified third party. Target’s customer and payment card data must be appropriately encrypted, and cardholder info must be walled off from the rest of the Target network. In order to minimize the likelihood of stolen login credentials, Target will also implement password rotation policies and two-factor authentication.

“Today’s settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers,” said Illinois Attorney General Lisa Madigan. “People must remain vigilant about activity on their credit and debit cards as it’s not a matter of if but when you are going to be a victim of identity theft or a security breach.”