Commonwealth of Virginia
Office of the Attorney General
202 North Ninth Street
For media inquiries only, contact:
Lara Sisselman, Press Secretary
TARGET CORPORATION TO PAY $18.5M OVER 2013 DATA BREACH
~Virginia joined with 46 other states and the District of Columbia in settlement~
RICHMOND (May 23, 2017) - Attorney General Mark R. Herring today announced that the Commonwealth of Virginia has joined with 46 other states and the District of Columbia in an $18.5 million settlement with Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers. Virginia will receive $352,710.80 from the settlement, which is the largest multistate data breach settlement achieved to date.
"This settlement requires Target to strengthen its security safeguards and create and maintain a comprehensive data security program, and other companies should follow suit," said Attorney General Herring. "Consumers should also remain vigilant regarding their data, including monitoring credit card and bank statements and credit reports. Unfortunately, attacks like the one that occurred at Target are becoming all too frequent, and businesses and consumers alike should do everything they can to safeguard personal and financial information."
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement, and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly pertaining to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
The states' investigation found that, on or about November 12, 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database, to install malware on the system, and to capture data, including consumer data comprised of full names, telephone numbers, email addresses and mailing addresses, payment card numbers, expiration dates and CVV1 codes, and encrypted debit PINs.
In addition to Virginia, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia, along with the District of Columbia.
This matter is being handled by Attorney General Herring's Consumer Protection Section. In November, Attorney General Herring announced the completion of a reorganization of the OAG Consumer Protection Section to more efficiently and effectively enforce Virginia's consumer protection laws, provide exceptional customer service in resolving complaints and disputes, and provide robust consumer education to keep Virginians from being victimized by fraud, scams, or illegal or abusive business practices. During Attorney General Herring's administration the OAG Consumer Protection Section has recovered more than $200 million in relief for consumers and payments from violators.
If you have any consumer-related inquiries, the Office of the Attorney General's Consumer Protection Hotline telephone counselors are available to assist you with your consumer questions. Please call the Consumer Protection Hotline at 1-800-552-9963 if calling from Virginia, or 804-786-2042 if calling from the Richmond area. You can also subscribe to the Consumer Protection Quarterly Newsletter here.
Virginia's settlement is in the form of an Assurance of Voluntary Compliance which has been filed for approval with the Richmond Circuit Court.