Attorney General Racine Announces $18.5 Million Multistate Settlement with Target Corporation over 2013 Data Breach

Cyber Attackers Exploited Weaknesses in Target’s System to Steal Customers’ Personal Data

WASHINGTON, D. C. – Attorney General Karl A. Racine announced today that the District of Columbia has joined with 46 states in an $18.5 million settlement with the Target Corporation to resolve the states’ investigation into the retail company's 2013 data breach. The settlement represents the largest multistate data breach settlement achieved to date.

“Retailers have an obligation to protect the financial and personal information of their customers, an obligation Target failed to live up to when it failed to put proper safeguards in place to protect against data breaches,” said Attorney General Racine. “This settlement will ensure Target secures its data, and we hope it will also encourage other major retailers to take similar precautions.”

The states' investigation, led by Connecticut and Illinois, found that, on or about November 12, 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database; to install malware on the system; and to capture data from Target’s customers. The consumer data the attackers captured included full names, telephone numbers, email addresses and mailing addresses; payment card numbers, expiration dates and CVV1 codes; and encrypted debit card PINs.

The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.

In addition to the monetary payment to the District and states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third party to conduct a comprehensive security assessment.

The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

The District will receive $168,972.71 from the settlement.

In addition to the District and lead states Connecticut and Illinois, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia.

Please click here to view a copy of the settlement document.

OAG Resources for Consumers
Data breaches like Target’s underscore the importance of consumers educating themselves about how to take their own precautions to protect their personal data. Read more about online privacyidentity theft and other important consumer-protection issues by visiting the Office of the Attorney General’s Consumer Protection Library, online at https://oag.dc.gov/consumerprotection.

If you think you may have been the victim of a data breach or have another consumer complaint, call the OAG Consumer Protection Hotline at (202) 442-9828 or send an email to consumer.protection@dc.gov.