Attorney General Herbert H. Slatery III recently announced that Tennessee has joined 46 other states and the District of Columbia in an $18.5 million settlement with Target Corporation to resolve the states’ investigation into the retail company’s 2013 data breach. The settlement represents the largest ever multistate data breach settlement.
The states’ investigation, led by Connecticut and Illinois, found that in November 2013 cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database.
The cyber-attack exposed customer information including names, telephone numbers, email and mailing addresses. The attackers also gained access to payment card information including card numbers, expiration dates, CVV1 codes, and encrypted debit PINs.
The data breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers. An estimated 770,000 Tennesseans were impacted by this attack. As part of the settlement, the state of Tennessee will receive $311,616.
“Customers need to know their personal information is secure when they shop,” Slatery said. “For companies, protecting their customer data should be as important to the transaction as the sale itself. The key to this settlement is taking steps to prevent future cyber-attacks.”
In addition to monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target:
- To maintain and support software on its network;
- To maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data;
- To segment its cardholder data environment from the rest of its computer network;
- To undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
In addition to Tennessee, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas, Utah, Vermont, Virginia, Washington, and West Virginia and the District of Columbia.