Target Settles Probe Into Its 2013 Hack -- WSJ
May 24 2017 - 3:02AM
Dow Jones News
By Nicole Hong
Target Corp. on Tuesday agreed to pay $18.5 million to resolve
an investigation by state prosecutors into its massive 2013 hack, a
deal that represents the largest multistate data breach settlement
in history.
The investigation, led by the attorney generals in Connecticut
and Illinois, focused on allegations that more than 40 million
customers had their credit or debit card information compromised in
2013 after Target failed to provide reasonable data security.
The money will go to 47 states and the District of Columbia,
with California receiving the largest share of more than $1.4
million.
"Millions of consumers...across the country were impacted by
this data breach and by what we believe, through our multistate
investigation, were Target's inadequate data security protocols,"
said George Jepsen, Connecticut's attorney general.
A spokeswoman for Target said the company is "pleased to bring
this issue to a resolution." Target has been working with states
for several years to address claims from the 2013 breach, and the
costs with this settlement are already reflected in reserves that
the company has previously disclosed, the spokeswoman said.
The investigation by state prosecutors found that hackers
accessed Target's server in November 2013 through credentials
stolen from a third-party vendor. The attackers used the
credentials to access a customer-service database and installed
malware that captured consumers' personal data, including credit
card numbers.
Tuesday's settlement requires Target to hire an executive to
oversee an information security program and an independent third
party to conduct a comprehensive security assessment.
Target also agreed to separate its cardholder data from the rest
of its computer network and to take other steps, including
implementing password rotation policies and two-factor
authentication.
Four years after the hack, Target's breach still ranks among the
most high-profile cyberintrusion incidents at a publicly traded
company. The theft took a heavy toll on the retailer's reputation
with shoppers, cut into sales and led to the ouster of the
company's chief executive.
It was followed by a string of similar breaches at other
well-known merchants, including Home Depot Inc., luxury retailer
Neiman Marcus Group Ltd. and Asian restaurant chain P.F. Chang's
China Bistro Inc.
Experts often point to the Target breach as a turning point that
alerted American corporations to the idea that managing
cybersecurity should be a priority for the C-suite, not only for
the IT department.
After the breach, Target faced dozens of lawsuits, as well as
federal and state investigations into how the company responded to
the attack. In 2015, it agreed to pay out millions in settlements
to reimburse financial institutions for costs incurred from the
breach.
The settlement is unlikely to leave Target vulnerable to more
private lawsuits, legal experts said. In general, consumers have
had trouble extracting big payouts after data breaches. Many
data-theft lawsuits have been dismissed after judges found
customers couldn't prove they suffered an actual harm from the
theft of their personal information.
Khadeeja Safdar contributed to this article.
Write to Nicole Hong at nicole.hong@wsj.com
(END) Dow Jones Newswires
May 24, 2017 02:47 ET (06:47 GMT)
Copyright (c) 2017 Dow Jones & Company, Inc.
Target (NYSE:TGT)
Historical Stock Chart
From Mar 2024 to Apr 2024
Target (NYSE:TGT)
Historical Stock Chart
From Apr 2023 to Apr 2024