Target is paying the largest data breach settlement in history, with it due to pay $18.5 million for the November 2013 hacking of its servers.
Target agreed to pay $18.5M to more than 40 million of its customers, to settle a 2013 data breach lawsuit. It’s the largest ever settlement for a data breach case, covering victims across 47 US states and the District of Columbia.
According to a USA Today report, investigators said hackers breached the retail giant’s servers in November 2013, using credentials stolen from a third-party. The suspects then accessed a customer service database and grabbed confidential customer data: names and phone numbers, payment and credit card numbers, and email addresses.
Some 41 million customer payment accounts were affected by the breach, while the contact information of 60 million Target customers was also compromised.
Earlier, Target also agreed to pay $10,000 to consumers who prove they suffered losses as a result of the data breach. The company also offered free credit monitoring services to the victims. These were part of a $10 million settlement in 2015, for a class action lawsuit.
In a statement, Connecticut Attorney General George Jepsen said the case should be a lesson to companies, for them to take data security policies and procedures more seriously. He said failure to do so exposes sensitive information to hackers. Jepsen had led the investigation along with Illinois counterpart Lisa Madigan.
On Tuesday, Target said it worked with state investigators to address claims related to the case. The Minneapolis-based company added, it is pleased that the case has been resolved. It also noted that the costs of the settlement are reflected in its liability reserves, that were disclosed previously.
Under the settlement, Target agreed to accomplish the following:
- develop, implement and maintain a data security program
- designate an employee or officer to oversee and execute the program;
- conduct a data security assessment through in independent expert;
- install and maintain security data software on its servers and networks.
The company also agreed to separate data of cardholders from the rest of its network; as well as to better control network access. This includes password rotation and two-factor authentication.