The New York Attorney General Eric Schneiderman has announced that 47 states and the District of Columbia have reached a $18.5 million settlement with the Target Corporation to resolve the states’ investigation into the retail company’s 2013 data breach
More than 41 million customer payment card accounts were affected and more than 60 million customers’ contact information was exposed.
New York State will receive $635,224.33 as a result of the agreement — the largest multi-state data breach settlement reached to date.
“New Yorkers need to know that when they shop, their data will be protected,” said Attorney General Schneiderman. “This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward.”
Investigators, led by attorneys general from Connecticut and Illinois, found that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor.
The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and to install malware on the system that was used to capture consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs.
In addition to the monetary payment to the states, Target is required to implement a comprehensive information security program and to employ an executive or officer to oversee the execution of the program. The company is also required to hire an outside vendor to conduct a comprehensive security assessment.