The Utah Attorney General’s Office and the Utah Division of Consumer Protection have announced that Utah has joined with 46 other states and the District of Columbia in an $18.5 million settlement with the Target Corp. to resolve the states’ investigation into the retail company’s 2013 data breach. The settlement represents to largest multistate data breach settlement achieved to date.
The states’ investigation found that around Nov. 12, 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database; to install malware on the system and to capture data, including consumer data comprised of full names, telephone numbers, email addresses and mailing addresses; payment card numbers, expiration dates and CVV codes; and encrypted debit PINs.
The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
“Target’s massive data breach in 2013 revealed that consumers’ information is constantly under attack by hackers seeking cyber profits. This being the largest multi-state settlement over a data breach should send a strong message that businesses need to remain vigilant in protecting their customer after the transaction has ended,” said Francine A. Giani, executive director of the Utah Department of Commerce.
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
Utah will receive $222,663.12 from the settlement.
In addition to Utah, other states receiving a share of the settlement include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington and West Virginia and the District of Columbia.