Brigida Soriano - Fotolia
US retailer Target has agreed to an $18.5m settlement with 47 US states and the District of Columbia over its 2013 data breach that affected tens of millions of customers.
The settlement comes on top of the $202m Target has spent on legal fees and other costs since the breach, according to the company’s most recent annual statement.
Cyber attackers stole the payment card data of more than 41 million customers as well as the contact information of more than 60 million customers.
The settlement was reached with 48 state attorneys general after an investigation led by the attorneys general of Connecticut and Illinois.
The investigation found that cyber criminals had gained access to Target’s gateway server using credentials stolen from a heating, ventilation and air conditioning contractor in November 2013.
The Pittsburgh-based contractor was connected to Target’s systems to provide electronic billing services, contract submissions and project management services.
Once on the gateway server, the cyber criminals were then able to exploit weaknesses in the IT system to access a customer service database and install data stealing malware on the point of sale (PoS) system.
The stolen data included customers’ full names, phone numbers, email addresses, home addresses and payment card data such as expiration dates, encrypted security codes and encrypted PINs.
In March 2014, Target admitted that IT security system had raised alerts, but these were missed because of the high volume of alerts being generated.
Read more about data breaches
- Security experts say the fact that data breaches at FTSE 100 firms cost on average £120m in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy.
- Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
- Stolen and lost devices are the biggest causes of data leaks in the financial sector, which experienced twice as many leaks in 2015 than the year before, a report reveals.
- The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
As part of the settlement, Target will have to develop and implement a comprehensive information security program, employ an officer to execute it and commission a third-party security assessment.
Target is also required to implement appropriate encryption policies, separate cardholder data, implement password rotation policies and add two-factor authentication for certain accounts.
“Companies across sectors should be taking their data security policies and procedures seriously,” said George Jepsen, Connecticut attorney general.
“Not doing so potentially exposes sensitive client and consumer information to hackers,” he said, adding that he is hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers’ information.
Most businesses are still not taking cyber security seriously enough, according to Dido Harding, former CEO of TalkTalk, which suffered a major data breach in 2015.
“We thought we were taking it seriously, but of course we weren’t taking it seriously enough, and no one is. A lot of business leaders are afraid of it and want to delegate it down,” she told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.