Idaho to receive part of $18.5M settlement with Target Corporation over data breach - East Idaho News
Local

Idaho to receive part of $18.5M settlement with Target Corporation over data breach

  Published at  | Updated at

The following is a news release from the State of Idaho Office of the Attorney General.

BOISE — Attorney General Lawrence Wasden has announced Idaho joined 46 states and the District of Columbia in reaching an $18.5 million settlement with the Target Corporation.

The settlement addresses the company’s 2013 data breach that affected more than 41 million payment card accounts and contact information for over 60 million customers. In Idaho, the breach affected approximately 140,000 payment card accounts and contact information for approximately 280,000 customers.

The states’ investigation revealed that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and install malware on the system and to capture data.

The attackers collected consumers’ full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, verification codes, and encrypted debit PINs.

The settlement requires Target to maintain an information security program. Target also must retain an independent third-party to conduct a comprehensive security assessment of the company. Other mandatory provisions of the settlement include:

· maintaining appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
· segmenting its cardholder data environment from the rest of its computer network; and
· undertaking steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

Idaho will receive $192,956 from the settlement funds to cover its fees and investigative expenses.

SUBMIT A CORRECTION