Target to Pay $18.5 Million to 47 States in Security Breach Settlement
Target will pay $18.5 million to 47 states and the District of Columbia as part of a settlement with state attorneys general over a huge security breach that compromised the data of millions of customers.
The settlement ends a yearslong investigation into how hackers obtained names, credit card numbers and other information about tens of millions of people in 2013.
New York will receive $635,000, while California will receive $1.4 million, the largest amount of any state, according to the Eric T. Schneiderman, New York’s attorney general. Dollar figures were determined “largely” based on each state’s population size, his office said.
Wyoming, Wisconsin and Alabama were not included in Tuesday’s announcement. Representatives for the attorneys general in those states did not have an immediate comment or could not be reached.
In a statement, Target said that it was “pleased” to have resolved the issue. Target has spent $202 million on legal fees and other costs since the breach, according to the company’s most recent annual statement.
The investigation, led by attorneys general in Connecticut and Illinois, concluded that attackers had stolen credentials from a third-party vendor that they used to access a customer database. They then installed malware that helped capture other consumer data.
As part of the settlement, Target agreed to tighten its digital security, including maintaining software and encryption programs to safeguard people’s personal information. The retailer will have to separate its cardholder data from the rest of its computer network and pay for an independent assessment of its security measures, according to Tuesday’s announcement.
On Dec. 19, 2013, during the biggest shopping season of the year, Target confirmed that credit and debit card information about 40 million customers had been stolen. Several weeks later, the company said that other information for 70 million people, including email and mailing addresses, had also been exposed.
After an internal review, Target acknowledged that it had missed signs of the data breach. The disaster helped push out the chief executive of Target, Gregg W. Steinhafel, who resigned in May 2014. Target’s current chief executive, Brian C. Cornell, took over in August of that year.
Hackers went on to target other retailers, including Home Depot, in a series of digital attacks aimed at stealing sensitive customer information from millions of consumers around the country.