In the largest settlement ever for a multi-state data breach, Target Corp. has agreed to pay New Jersey, 46 other states and the District of Columbia $18 million dollars for its role in compromising the payment card information of more than 41 million shoppers nationwide.
New Jersey's cut of the payout is $680,411.
The company also agreed "to enact a variety of cyber-security reforms designed to prevent similar data breaches in the future," New Jersey Attorney General Christopher Porrino said.
That includes creating an information security program "headed by an executive or officer whose chief role will be to implement the program and advise Target’s CEO and Board of Directors on privacy and security issues," he said.
(More requirements of the settlement are outlined below.)
“This is an important settlement not so much because of what it requires Target to pay – although the payment amount is historic -- but because of what it requires Target to do,” Porrino said.
The November 2013 cyber-intrusion was carried out by attackers using credentials stolen from a third-party vendor for Target, which has stores in Paramus, Hackensack, Edgewater, Clifton, Riverdale and North Bergen.
The hackers tapped into a data base that held contact information for more than 60 million Target customers nationwide -- including full names, telephone numbers, e-mail addresses, mailing addresses, payment card numbers, expiration dates, CVV1 codes and encrypted debit PINS, the attorney general said.
New Jersey, lead state Connecticut, and six other states formed a multi-state Executive Committee that investigated Target’s own role in the breach.
They found that "the stolen credentials were used to exploit numerous security vulnerabilities within Target’s data storage network, allowing the attackers to access a customer data base and install malware on Target’s system that captured payment card information," Porrino said.
“Major retailers – including Target – routinely ask their customers to entrust them with personal information in service of payment card contracts, mailing lists, e-coupons and other promotions,” Porrino said “But, if retailers are going to solicit such personal information and retain it in a data base, they have a duty to be vigilant about securing that data base.
"The terms of this settlement are designed to ensure that happens going forward.
The payout "represents the highest valuation of a multi-state data breach investigation to date," Porrino said. "The previous high amount was $9.75 million resulting from a 2009 settlement with TJX Companies, Inc."
The settlement also includes a dozen or so other requirements designed to shore up the retailer’s cyber-security efforts.
Among them, Target must:
Develop policies and procedures to ensure its vendors are complying with the Information Security Program;
Encrypt consumer payment card information throughout the course of a retail transaction;
Segment its cardholder data environment from the rest of its computer network.
Adopt, where possible, improved, industry-accepted payment card security technologies such as “chip” and “PIN” technology;
Take steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts;
Obtain an Information Security Assessment from a third-party assessor and make the report on that assessment available to the states.