In a settlement with the attorneys general of 47 states and the District of Columbia, retailer Target will fork over $18.5M as penalty for a breach which exposed the contact information of more than 60 million customers, according to Data Breach Today.
As a result of the exposure, revealed by Target in December 2013, payment card details of 41 million customers was exposed. Funds will be dispersed among the states.
The big-box retailer will also have to comply with a number of cybersecurity requirements – including segmentation of the cardholder environment from the rest of the network; development of a risk-based pen-testing program; risk-based access controls, including two-factor authentication; and file integrity monitoring and whitelisting. Complying with more stringent auditing and reporting requirements also are part of the deal.
The agreement “represents the largest multistate data breach settlement achieved to date,” said New York Attorney General Eric T. Schneiderman.
Carter Leuty, vice president of Target’s legal division, said the retailer was “pleased to bring this issue to a resolution for everyone involved.”
Target also will continue offering free credit monitoring services to those affected.
This agreement with the states comes on top of a different $39 million settlement that Target agreed to with financial institutions impacted by the breach. At the same time, Target agreed to pay $10 million to impacted customers in a class-action suit, along with $6.75 million in attorney fees and expenses.
“The $18.5 million settlement that Target reached after the ‘data breach heard around the world’ is a drop in the bucket compared to the incalculable reputational damage from such a high-profile cyber attack that’s been in headlines for half a decade and counting,” Fred Kneip, CEO at CyberGRX, told SC Media on Wednesday. “Beyond the headline, companies should take heed of what the settlement requires of Target, which includes the need for an independent security assessment. This should be required of every company and all of their contractors, suppliers, vendors and customers. The risk exposure of all third parties with access to your network must be measured, monitored and viewed as part of your extended ecosystem of responsibility.”
Chris Pierson, CSO of Viewpost, told SC on Wednesday that a critical takeaway from this settlement and the breach is the reminder that the entry point for the hackers was a third-party vendor of Target’s.
“You can outsource or offshore the tasks, but you can never move the risk from the main company. This calls for the resurgence of holistic cybersecurity programs that blend information assurance, vendor assurance, and procurement/contracting together to make sure companies are safeguarding their data and the access afforded to others of this data or even company access.”