For Immediate Release
Media Contact: Kriss Bivens Cloyd
(208) 334-4119

Date: May 23, 2017

Idaho Announces $18.5M Settlement with Target Corporation over 2013 Data Breach

BOISE – Attorney General Lawrence Wasden has announced Idaho joined 46 states and the District of Columbia in reaching an $18.5 million settlement with the Target Corporation. The settlement addresses the company’s 2013 data breach that affected more than 41 million payment card accounts and contact information for over 60 million customers. In Idaho, the breach affected approximately 140,000 payment card accounts and contact information for approximately 280,000 customers.[1]

The states’ investigation revealed that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and install malware on the system and to capture data. The attackers collected consumers’ full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, verification codes, and encrypted debit PINs.

The settlement requires Target to maintain an information security program. Target also must retain an independent third-party to conduct a comprehensive security assessment of the company. Other mandatory provisions of the settlement include:

  • maintaining appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
  • segmenting its cardholder data environment from the rest of its computer network; and
  • undertaking steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

Idaho will receive $192,956 from the settlement funds to cover its fees and investigative expenses.

[1] Payment Card Accounts: This number is based on Target's analysis of the payment card accounts that were used at terminals in Idaho from November 27th to December 15, 2013. Contact Information: For guests with a mailing address logged in Target’s Guest Services Database that was stolen during the attacked, the number approximates the affected guests in Idaho.

###

News by Year:
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003