Target to Pay $18.5 Million to States in Data Breach Settlement

The agreement is the largest multistate data-breach settlement reached to date, according to the New York attorney general’s office.

by Dominic Fracassa, San Francisco Chronicle / May 24, 2017

(TNS) -- Target has agreed to pay $18.5 million to resolve investigations being conducted by 47 states and the District of Columbia stemming from the retailer’s 2013 data breach. In that incident, hackers compromised 41 million credit and debit card accounts and may have obtained the personal information of more than 60 million customers.

California expects to receive more than $1.4 million from the total settlement, the most of any state, the California attorney general’s office said Tuesday. An estimated 7.76 million Californians were affected by the breach, which occurred during the 2013 holiday shopping season.

The agreement is the largest multistate data-breach settlement reached to date, according to the New York attorney general’s office.

None of the funds are going to affected shoppers, who may have been able to seek recompense through other means. Target is still trying to hash out a $10 million settlement in a consumer class-action lawsuit connected to the breach. The retailer paid out $39.4 million in 2015 to banks and credit unions who said they lost money and were put at risk as a result of the breach. That settlement followed a $67 million deal Target struck with Visa card issuers that year.

The terms of the settlement also require Target to implement and maintain a “comprehensive information security program” that will encrypt and secure customer data. The retailer must hire an executive to oversee the execution of that program and advise the company’s CEO and board of directors. Target must also hire an independent firm to conduct a comprehensive assessment of the company’s data security.

“This should send a strong message to other companies: You are responsible for protecting your customers’ personal information. Not just sometimes — always,” said California Attorney General Xavier Becerra in a statement announcing the settlement.

“We’ve been working closely with state attorneys general for several years to address claims related to Target’s 2013 data breach,” said Target spokeswoman Jenna Reck in an email. “We are pleased to bring this issue to a resolution for everyone involved.”

Hackers breached a system known as a gateway server using credentials stolen from a third-party vendor, exposing the customer and card data. The breach compromised a customer service database, exposing customers’ full names, telephone numbers, email and mailing addresses, credit card numbers and encrypted personal identification numbers for debit cards, among other data.

The fallout from the breach contributed to the ouster of Gregg Steinhafel as CEO in 2014. He was replaced by Brian Cornell, a former PepsiCo executive.

©2017 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC