Delaware joined with 46 other states and the District of Columbia in a settlement with the Target Corp. to resolve the states' investigation into the retail company's 2013 data breach, resulting in increased protection for consumers.
The states' investigation, led by Connecticut and Illinois, found that on or about Nov. 12, 2013, cyber attackers accessed Target's gateway server using credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database, install malware on the system to capture data, including consumer personal and credit card data, as well as encrypted debit PINs. The breach affected more than 41 million customer payment card accounts nationwide and contact information for more than 60 million customers.
The settlement agreement requires Target to:
— Develop, implement and maintain a comprehensive information security program and employ an executive or officer responsible for executing the plan.
— Hire an independent, qualified third party to conduct a comprehensive security assessment.
— Maintain and support software on its network.
— Maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data.
— Segment its cardholder data environment from the rest of its computer network.
— Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
The settlement also requires Target to pay $176,328.16 to the Delaware Consumer Protection Fund, which funds work on consumer fraud and deceptive trade practice matters and other consumer-oriented investigations and legal actions. Target will pay a total of $18.5 million to states in the settlement as a result of the breach.
Deputy Attorney General Stephen McDonald, of the Consumer Protection Unit, handled the matter for the Delaware Department of Justice.