Brigida Soriano - Fotolia

US retailer Target agrees $18.5m data breach settlement

A breach settlement with 47 US states has taken the cost of the 2013 data breach at retailer Target to more than $220m

US retailer Target has agreed to an $18.5m settlement with 47 US states and the District of Columbia over its 2013 data breach that affected tens of millions of customers.

The settlement comes on top of the $202m Target has spent on legal fees and other costs since the breach, according to the company’s most recent annual statement.

Cyber attackers stole the payment card data of more than 41 million customers as well as the contact information of more than 60 million customers.

The settlement was reached with 48 state attorneys general after an investigation led by the attorneys general of Connecticut and Illinois.

The investigation found that cyber criminals had gained access to Target’s gateway server using credentials stolen from a heating, ventilation and air conditioning contractor in November 2013.

The Pittsburgh-based contractor was connected to Target’s systems to provide electronic billing services, contract submissions and project management services.

Once on the gateway server, the cyber criminals were then able to exploit weaknesses in the IT system to access a customer service database and install data stealing malware on the point of sale (PoS) system.

The stolen data included customers’ full names, phone numbers, email addresses, home addresses and payment card data such as expiration dates, encrypted security codes and encrypted PINs.

In March 2014, Target admitted that IT security system had raised alerts, but these were missed because of the high volume of alerts being generated.

Later that month, Beth Jacob resigned as chief information officer (CIO), followed by the resignation of chief executive and chairman Gregg Steinhafel two months later.

Read more about data breaches

As part of the settlement, Target will have to develop and implement a comprehensive information security program, employ an officer to execute it and commission a third-party security assessment.

Target is also required to implement appropriate encryption policies, separate cardholder data, implement password rotation policies and add two-factor authentication for certain accounts.

“Companies across sectors should be taking their data security policies and procedures seriously,” said George Jepsen, Connecticut attorney general.

“Not doing so potentially exposes sensitive client and consumer information to hackers,” he said, adding that he is hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers’ information.

Most businesses are still not taking cyber security seriously enough, according to Dido Harding, former CEO of TalkTalk, which suffered a major data breach in 2015.

“We thought we were taking it seriously, but of course we weren’t taking it seriously enough, and no one is. A lot of business leaders are afraid of it and want to delegate it down,” she told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.

Read more on Privacy and data protection