Retail giant Target has agreed to pay a whopping $18.5m (£14.25m) settlement with 47 US states and the District of Columbia over a massive 2013 data breach that affected tens of millions of people. In one of the biggest data breaches to hit a US retailer, hackers stole the payment card data of more than 41 million shoppers as well as the contact information of over 60 million customers.
The multi-state settlement, announced on Tuesday (23 May), was reached with 48 state attorneys general. The attorneys general of Connecticut and Illinois led the the year-long investigation into the breach.
The states' investigation found that hackers had gained access to Target's computer gateway server through credentials stolen from a third-party vendor in November 2013. The stolen credentials were then used to exploit weaknesses in the company's system, allowing the hackers to infiltrate a customer service database, install malicious malware on the system and capture a trove of sensitive consumer data.
Customers' full names, phone numbers, email addresses, mailing addresses, payment card data such as expiration dates, CVV1 codes and encrypted data pins were stolen in the attack.
In March 2014, Target admitted that its computer security system did alert it to suspicious activity. However, the company decided to ignore it.
Besides the huge monetary payment, Target will also be required to develop and implement a comprehensive information security program, employ an officer to execute it and hire a third-party assessor to conduct a security assessment.
The settlement also requires Target to bolster its digital security including implementing appropriate encryption policies, separating its cardholder data from the rest of its computer network, implementing password rotation policies and two-factor authentication for certain accounts.
"Companies across sectors should be taking their data security policies and procedures seriously," Connecticut Attorney General George Jepsen, who led the investigation along with Illinois counterpart Lisa Madigan, said in a statement. "Not doing so potentially exposes sensitive client and consumer information to hackers.
"I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information."