Target to pay states $18.5M over hack

Target is agreeing to pay $18.5 million and take steps to improve its cybersecurity to settle investigations by 47 states and the District of Columbia into its handling of a 2013 hack.

The multi-state settlement, which is the largest ever for a data breach, stems from an investigation that found Target had not taken enough steps to properly secure its customers’ data. The hack compromised millions of customer accounts, including credit card and contact information.

Hackers were able to gain access to Target’s server via credentials stolen from a third-party vendor. Hackers then exploited that access to install malware that captured information including names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates and encrypted debit pins.

{mosads}In addition to the $18.5 million, Target will also provide free credit monitoring for those affected, keep its software up to date to prevent hackers from finding new weaknesses they can exploit, maintain “appropriate” encryption policies, and keep cardholder information on a separate network.

The retailer will also “develop, implement and maintain a comprehensive information security program and … employ an executive or officer who is responsible for executing the plan,” to prevent future breaches.

“New Yorkers need to know that when they shop, their data will be protected,” said New York Attorney General Schneiderman (D) in a statement on the settlement.

“This settlement marks an important win for New Yorkers — bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward.”