Attorney General Christopher S. Porrino announced today that Target Corp. has agreed to pay New Jersey, 46 other states and the District of Columbia a total of more than $18 million to resolve a multi-state investigation into a data breach that compromised the payment card information of more than 41 million shoppers nationwide.
Target’s $18.5 million settlement payout represents the highest valuation of a multi-state data breach investigation to date. The previous high amount was $9.75 million resulting from a 2009 settlement with TJX Companies, Inc.
In addition to the monetary terms, Target has agreed to enact a variety of cyber-security reforms designed to prevent similar data breaches in the future. The reforms include creation of an Information Security Program headed by an executive or officer whose chief role will be to implement the program and advise Target’s CEO and Board of Directors on privacy and security issues.
The November 2013 cyber-intrusion was carried out by attackers using credentials stolen from a third-party Target vendor. The States’ investigation found that the stolen credentials were used to exploit numerous security vulnerabilities within Target’s data storage network, allowing the attackers to access a customer data base and install malware on Target’s system that captured payment card information.
“This is an important settlement for New Jersey residents, not so much because of what it requires Target to pay – although the payment amount is historic — but because of what it requires Target to do,” said Attorney General Porrino.
“As a result of this settlement,” Porrino said, “Target must adopt new policies and procedures that will strengthen its cyber security efforts and better protect the personal information of its customers here and across the country. We’re gratified to have played an integral role in negotiating this important outcome on behalf of New Jersey consumers.”
New Jersey, lead state Connecticut, and six other states formed the multi-state Executive Committee that investigated Target’s own role in the November 2013 data breach. Under terms of the settlement announced today, New Jersey will receive a total payout of $680, 411 from Target.
The security breach at issue compromised a data base that included contact information for more than 60 million Target customers nationwide, including full names, telephone numbers, e-mail addresses, mailing addresses, payment card numbers, expiration dates, CVV1 codes and encrypted debit PINS.
“Major retailers – including Target – routinely ask their customers to entrust them with personal information in service of payment card contracts, mailing lists, e-coupons and other promotions,” Attorney General Porrino said “But, if retailers are going to solicit such personal information and retain it in a data base, they have a duty to be vigilant about securing that data base. The terms of this settlement are designed to ensure that happens going forward.”
In addition to the requirement that Target create a new Information Security Program, the settlement contains approximately a dozen other injunctive terms designed to shore up the retailer’s cyber-security efforts. Among those injunctive terms are requirements that Target develop policies and procedures to ensure its vendors are complying with the Information Security Program, encrypt consumer payment card information throughout the course of a retail transaction, and segment its cardholder data environment from the rest of its computer network.
The injunctive terms also require that Target adopt, where possible, improved, industry-accepted payment card security technologies such as “chip” and “PIN” technology, and that the retailer take steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts. Target is also required under the settlement to obtain an Information Security Assessment from a third-party assessor, and to make the report on that assessment available to the states.
Deputy Attorney General Elliott M. Siebers, assigned to the Division of Law’s Government & Healthcare Fraud section, and Deputy Attorney General Patricia Schiripo, Assistant Chief of the Consumer Fraud Section, handled the Target matter on behalf of the State.