Idaho joins in settlement in Target breach |
May 23, 2017 |
Idaho Attorney General Lawrence Wasden
announced today that Idaho has joined 46 states
and the District of Columbia in reaching an
$18.5 million settlement with the Target
Corporation. The settlement addresses the
company’s 2013 data breach that affected more
than 41 million payment card accounts and
contact information for over 60 million
customers. In Idaho, the breach affected approximately 140,000 payment card accounts and contact information for approximately 280,000 customers. The states’ investigation revealed that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and install malware on the system and to capture data. The attackers collected consumers’ full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, verification codes, and encrypted debit PINs. The settlement requires Target to maintain an information security program. Target also must retain an independent third-party to conduct a comprehensive security assessment of the company. Other mandatory provisions of the settlement include maintaining appropriate encryption policies, particularly as they pertain to cardholder and personal information data, segmenting its cardholder data environment from the rest of its computer network; and undertaking steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts. Idaho will receive $192,956 from the settlement funds to cover its fees and investigative expenses. |