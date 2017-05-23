Georgia has joined 46 other states and the District of Columbia in an $18.5 million settlement with Target Corp. to resolve investigations into the retailer’s 2013 data breach. The settlement is the largest ever for a multistate data breach, according to a Georgia Attorney General’s Office news release.
The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
Georgia will receive $394,592 from the settlement.
The money can be used by the state attorney general for attorneys fees and costs of investigating the breach. The money also can be applied to a consumer protection law enforcement fund or used by the Attorney General’s Office to help with consumer education, future consumer protection or privacy enforcement or other consumer aid programs, according to the settlement.
According to the release:
The investigation, led by authorities in Connecticut and Illinois, found that cyber attackers accessed Target’s gateway server Nov. 12, 2013, through credentials stolen from a third-party vendor.
The credentials were used to exploit weaknesses in Target’s system, allowing the attackers to access a customer service database, install malware and capture data. Data captured included full names, phone numbers, email addresses, mailing addresses, payment card numbers, card expiration dates, verification codes and encrypted debit PINs.
In addition to the monetary payment to the states, the settlement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer responsible for executing the plan.
The company also is required to hire an independent qualified third-party to conduct a comprehensive security assessment.
Target also must maintain and support software on its network, maintain appropriate encryption policies, separate cardholder data from the rest of the computer network and take steps to control access to the network, including implementing password rotation policies and two-factor authentication for some accounts.
