Arkansas Attorney General Leslie Rutledge announces Arkansas has joined with 46 other states and the District of Columbia in an $18.5 million settlement with Target Corp. to resolve an investigation into the retail company’s 2013 data breach. The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
- “Target failed to take appropriate action prior to 2013 to properly protect the personal financial information of its millions of customers,” said Attorney General Rutledge. “Their decision has left many Arkansans susceptible to identity theft and forced many to close bank accounts and credit cards after their information was stolen. Because of the work of this multi-state group, Target must properly protect the data of its customers.”
The investigation, which was led by Connecticut and Illinois, found that in November 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and install malware. This malware captured data, including consumer’s full names, telephone numbers, email addresses, mailing address, payment card numbers, expiration dates, Card Verification Value (CVV1) and encrypted debit PINs.
In addition to the monetary payment to the states, of which Arkansas will receive $226,438.37, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and employ an executive or officer who is responsible for executing the program. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain and support software on its network, to maintain appropriate encryption policies, particularly as it pertains to cardholder and personal information data, to segment its cardholder data environment from the rest of its computer network and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
In addition to Arkansas, Connecticut and Illinois, this settlement includes: Alaska, Arizona, California, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia and the District of Columbia.