Target has reached a record settlement agreement with many states' attorneys general over its 2013 data breach. The breach resulted in 41 million customers' payment card details being compromised and contact information for more than 60 million customers being exposed.
Under the terms of the settlement agreement "into the security incident announced by Target on Dec. 19, 2013," reached with the attorneys general of 47 states and the District of Columbia, Target will pay a fine of $18.5 million. The money will be dispersed among the states in amounts that the attorneys general have collectively agreed upon.
Per the agreement, the retailer must also comply with specific cybersecurity, auditing and reporting requirements. "[The] settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers," Illinois Attorney General Lisa Madigan says in a statement. "People must remain vigilant about activity on their credit and debit cards as it's not a matter of if but when you are going to be a victim of identity theft or a security breach.
The settlement agreement "represents the largest multistate data breach settlement achieved to date," according to New York Attorney General Eric T. Schneiderman. He says Target will also continue the free credit monitoring services that it has been offering to breach victims.
"This fine is significant," Chris Pierson, CSO and general counsel for financial technology payment firm Viewpost, tells Information Security Media Group. "It signals the fact that the AGs will continue to use financial penalties to hold companies accountable for data breaches involving both personally identifiable information and other financial information."
Despite being part of this settlement agreement, California is continuing a separate negotiation with Target "in a form consistent with the requirements of California law," and which may impose additional requirements on the retailer, the agreement notes. But the state has agreed to settle for the amount stipulated in this agreement.
The settlement agreement was signed on the retailer's behalf on May 15 by Carter Leuty, vice president of Target's legal division. "We've been working closely with state attorneys general for several years to address claims related to Target's 2013 data breach," a spokeswoman tells ISMG. "We're pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed."
This settlement follows a separate, $39 million settlement reached by the retailer with financial institutions affected by its 2013 breach in 2015. The same year, Target also agreed to settle a consolidated class action lawsuit - filed on behalf of affected consumers - by awarding $10 million to affected customers as well as $6.75 million for plaintiffs' attorneys' fees and expenses.
Hacked via HVAC Vendor
After stolen payment card data began flooding onto Rescator, an underground site that traffics in card data, and was traced to Target customers, on Dec. 19, 2013, the retailer publicly confirmed the breach. On Jan. 10, 2014, it warned that the breach appeared to be worse than it had first appeared (see Data Breach Notifications: What's Optimal Timing?).
The investigation by states' attorneys general - led by the attorneys general of Connecticut and Illinois - has confirmed what's by now well-known about how Target was hacked. Namely, on or about Nov. 12, 2013, according to details released by the attorneys general, attackers "accessed Target's gateway server through credentials stolen from a third-party HVAC vendor," they say in a statement.
"The credentials were used to exploit weaknesses in Target's system, allowing the attackers to access a customer service database, install malware on the system and to capture customer data, including full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification codes and encrypted debit PINs," their statement adds.
The card-skimming malware used by Target's attackers, installed on point-of-sale devices, also hasn't gone away, but rather reached epidemic proportions. Indeed, there is now seemingly no end to the list of retailers, hotels, restaurants and third-party service providers that continue to suffer copycat data losses (see InterContinental Hotels Group: Malware Hit 1,200 Locations).
Third-party vendors - not just payment card service providers - also continue to pose a cybersecurity risk to organizations. "A critical takeaway from this settlement and the breach is the reminder that the entry point for the hackers was a third-party vendor of Target's," Pierson says. "You can outsource or offshore the tasks but you can never [remove] the risk from the main company."
Target: 'Industry Standards'
The Target settlement agreement with attorneys general is also notable in that they have signaled "industry standards" by which they want to see all organizations abide.
Broadly, Madigan - the Illinois attorney general - says those standards involve seven requirements:
Program: Develop, implement and maintain a comprehensive information security program;
CSO/CISO: Employ an executive or officer who is responsible for executing the plan, although the agreement does not mandate that this individual report directly to the CEO and board of directors, as many security experts would recommend;
Assess: Hire an independent and well-qualified third party to conduct regular, comprehensive security assessments;
Patch and maintain: Maintain and support software on the network "for data security purposes";
Encrypt: Maintain appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
Segment: Use network segmentation to protect the cardholder data environment from the rest of the computer network;
Control access: Rigorously control network access, including implementing password rotation policies and two-factor authentication.
Additional Requirements: Whitelisting, Monitoring
Within those stipulations are a number of must-have safeguards, including separating development and production environments, logging and monitoring all security-related information as well as devices that attempt to connect to its "cardholder data environment," employing whitelisting to detect and block unauthorized applications from executing on POS terminals as well as related servers, and file integrity monitoring, to detect unauthorized changes to critical applications or operating systems that might touch cardholder data.
If the attorneys general believe that Target has violated the agreement, under the terms of the settlement, they will detail their complaints in writing to Target, which will then have 30 days "to provide a good faith written response" to the attorneys general.
Viewpost's Pierson says that based on media reports into Target's IT environment that have come out in the more than three years since it was breached, it appears that the retailer already has many of these controls in place and has thus been moving in a "positive direction ... in terms of its control methodology." But there may still be risk and operations-related improvements that it needs to put in place, he adds.
Data Breach Lawsuits
The reference by attorneys general to "industry standards" could be used in future breach-related lawsuits that seek class-action status. Many such lawsuits suggest that a breached business harmed consumers by failing to protect their personal information using industry-standard security practices and procedures.
Regardless, the majority of U.S. data breach lawsuits fail, because card issuers tend to reimburse consumers for any fraudulent expenses made using their payment cards. Judges, meanwhile, typically only find that there has been "injury" or "harm" when consumers suffer unreimbursed fraud (see Why So Many Data Breach Lawsuits Fail).