Press Release

Settlement reached with Target following major consumer data breach

May 23, 2017 | Topic: Consumers

Attorney General Josh Shapiro: PA will receive $469,000 from settlement, which requires Target to make real reforms to protect customers’ data from cyber-hackers

HARRISBURG — Attorney General Josh Shapiro today announced Pennsylvania has joined with 46 states in an $18.5 million settlement with the Target Corporation over a major data breach in 2013 that resulted in over 100 million pieces of credit card or personal information being stolen from customers nationwide. 1.6 million consumer transactions affected by the data breach took place in Pennsylvania.

Under the settlement, Pennsylvania will receive $469,000, which will go to the Pennsylvania Treasury. The settlement also requires Target to make significant reforms to improve its security measures to better protect its customers’ financial data from future cyber-hacking attempts. Apart from the settlement, an estimated 225,000 consumers across the country will receive restitution from a $10 million fund established through class-action litigation.

“Financial privacy and protecting your personal credit information are of real concern to me and our team,” said Attorney General Shapiro. “This massive data breach at Target affected tens of millions of Americans, including over 1 million Pennsylvanians. The reforms which this settlement requires will help ensure that Target customers’ personal and credit data are better protected in the future.”

On or about November 12, 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The cyber thieves exploited weaknesses in Target’s system, which allowed them to access a customer service database, install malware on the system and capture consumer data including full names, telephone numbers, email and mailing addresses, payment card information and encrypted debit card pin numbers for millions of Target customers.

In addition to the monetary settlement with the states, the multistate agreement requires Target to develop and maintain a comprehensive information security program and employ an executive or officer responsible for supervising it. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.

The settlement also requires Target to:

  • Maintain appropriate encryption policies, particularly as they pertain to cardholder and personal financial information data;
  • Segment its cardholder data from the rest of its computer network; and
  • Take steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

“The long-term value of this settlement is the reform effort Target must undertake to protect the personal financial data of Pennsylvania consumers and consumers across the country,” Attorney General Shapiro said. “Consumers can trust  that their information is secure when they purchase items, and not at risk of being stolen by cyber-hackers.”

Click here for a full list of the states participating in this case and to read the settlement agreement.

# # #