Hacking Group Reported Security Issues With Samsung 8 Phone's Iris Recognition
Coming Soon: A New HD Video Standard For TV. Will Over-The-Air Broadcasts Remain Free?

Attorneys General In Several States Announce Settlement Agreements With Target

Target Bullseye logo The Office of the Attorney General (AG) for the Commonwealth of Massachusetts announced on Wednesday that the state will receive $625,000 as part of the settlement agreement with Target Corporation. The settlement agreement, which includes 47 states plus the District of Colombia, resolves claims by states about the retailer's massive data breach in 2013.

Card issuers had also sued the retailer. Target settled with Visa in August, 2015 to resolve claims in which 110 million consumers' records were stolen, including 40 million credit- and debit-card numbers. Also, debit card PIN numbers were stolen.

The announcement by Massachusetts AG Maura Healey explained:

"The investigation found that the stolen credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and then capture data from credit or debit card transactions at Target stores (including stores in Massachusetts) from Nov. 27, 2013 to Dec. 15, 2013. The stolen data included consumers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs... The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers nationwide. In Massachusetts, the breach compromised information from approximately 947,000 customer payment card accounts and other personally-identifying information of about 1.5 million Massachusetts residents."

Terms of the settlement require Target:

"... to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment... to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts."

California will receive $1.4 million from the settlement. New York AG Eric T. Schneiderman said about the settlement agreement:

"New Yorkers need to know that when they shop, their data will be protected... This settlement marks an important win for New Yorkers – bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward."

Yes, indeed. Shoppers everywhere need to know their data will be protected.

Besides Massachusetts, New York and California, the other states participating in this settlement include Alaska, Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.

AL.com reported:

"Alabama won't be cashing in on the largest multi-state data breach settlement in history, however. The reason, according to the Alabama Attorney General's Office, is the absence of a state law that requires entities to notify customers whose information could have been exposed in a breach and then take steps to remediate any injuries.

"Alabama is one of the few states in the nation that is not a party to the recent Target settlement because our state does not have data breach notification law," said Mike Lewis, Communications Director for the Office of the Alabama Attorney General."

Connecticut and Illinois led the states' investigation. The participating states have not yet announced how the settlement money will be distributed.

[Editor's Note: a prior version of this blog post did not include the report by AL.com.]

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)