Little Rock, AR – According to Attorney General Leslie Rutledge, Arkansas joined with 46 other states and the District of Columbia in an $18.5 million settlement with Target to end an investigation into the company for a 2013 data breach that affected more than 41 million customer payment card accounts and contact information for more than 60 million of their customers.
The investigation, which was led by Connecticut and Illinois, found that in November 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and install malware. This malware captured data, including consumer’s full names, telephone numbers, email addresses, mailing address, payment card numbers, expiration dates, Card Verification Value (CVV1) and encrypted debit PINs.
“Target failed to take appropriate action prior to 2013 to properly protect the personal financial information of its millions of customers,” said Attorney General Rutledge. “Their decision has left many Arkansans susceptible to identity theft and forced many to close bank accounts and credit cards after their information was stolen. Because of the work of this multistate group, Target must properly protect the data of its customers.”
Arkansas will receive $226,438.37 of the $18,500,000. The settlement aggreement also requires Target to develop, implement and maintain a comprehensive information security program and employ an executive officer who will be responsivle for executing the program. Target is required to hire an independent, qualified third party to conduct a comprehensive security assessment. It further requires Target to maintain and support software on its network to maintain appropriate encryption policies, particularly as it pertains to cardholder and personal information data, to segment its cardholder data environment from the rest if its computer network and to undertake steps to control access to its networking including implementing passord rotation policies and two-factor authentication for certain accounts.1