Target Corp. reached an $18.5 million settlement Tuesday concerning an infamous 2013 data breach that affected upwards of 100 million customers, New York Attorney General Eric Schneiderman announced Tuesday.
The deal involved 47 states and is described as the largest multi-state breach agreement in U.S. history. The settlement requires that Target maintain cybersecurity safeguards that were installed after the breach was first disclosed and implement appropriate encryption policies where possible.
Over the last several years, Target executives have worked with state authorities to address hundreds of claims related to the 2013 Christmas data breach — which caused the franchise’s then CEO Gregg Steinhafel to resign. A statement by a company spokesperson provided to the Associated Press reads: “we’re pleased to bring this issue to a resolution for everyone involved.”
— Eric Schneiderman (@AGSchneiderman) May 23, 2017
The attack was blamed on Russian cybercriminals by more than one private sector cybersecurity firm; the U.S. government did not provide attribution in this case. Hackers compromised credit card numbers and other personal information for up to 110 million Target customers by specifically targeting payment systems used in Target storefronts across the country.
Investigators reviewing the Target breach case found in 2014 that the hackers originally gained access to Targets’ network by stealing login credentials from a third-party vendor.
“Consumers should also remain vigilant regarding their data, including monitoring credit card and bank statements and credit reports,” Virginia attorney general Mark Herring said in a statement.
Individual settlement payments are being organized on a per-state basis. For example, Virginia is set to receive $352,710.80 as part of the agreement, which will be delivered to victims of the breach.