• by Thom Forbes  @tforbes, May 24, 2017

Target yesterday agreed to pay $18.5 million to 47 states and the District of Columbia for a data breach in November 2013 that allowed hackers to obtain supposedly secure information about millions of its customers, including credit card numbers, expiration dates, CVV codes and encrypted debit PINs. 

The settlement ends an investigation led by the attorneys general in Connecticut and Illinois into how hackers stole data from tens of millions of accounts. Cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor, according to a news release from the office of New York State attorney general Eric Schneiderman announcing that the Empire State had received $635,000 in the settlement.

“The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and to install malware on the system that was used to capture consumer data,” it continues.

“After an internal review, Target acknowledged that it had missed signs of the data breach. The disaster helped push out the chief executive of Target, Gregg W. Steinhafel, who resigned in May 2014. Target’s current chief executive, Brian C. Cornell, took over in August of that year,” Rachel Abrams reminds us in the New York Times.

“Hackers went on to target other retailers, including Home Depot, in a series of digital attacks aimed at stealing sensitive customer information from millions of consumers around the country,” Abrams continues.

In June 2014, JP Morgan Chase was also hit by a breach, for example. It compromised the customer information of about 76 million households and 7 million small businesses.

“As part of the settlement announced on Tuesday, Target is required to adopt advanced measures to secure customer information such as employing an executive to oversee a comprehensive information security program as well as advise its chief executive and board,” Reuters’ Sruthi Ramakrishnan and Nandita Bose report. “The company is also required to hire a qualified third-party to conduct a comprehensive security assessment and encrypt or otherwise protect card information to make it useless if stolen.”

“While $18.5 million may seem like chump change to a company with a $30.3 billion market cap, it is still a sizable penalty for the relatively new field of data-breach enforcement actions,” observes Jessica Dye for Financial Times. “For comparison, the 2015 hack that compromised information for millions of users of … Ashley Madison resulted in a $17.5 million settlement with 13 states’ attorneys general as well as the Federal Trade Commission.”

California is getting more than $1.4 million, the largest share of any state, which it will use to enforce consumer protection laws, reports Samantha Masunaga for the Los Angeles Times.  

“Families should be able to shop without worrying that their financial information is going to get stolen, and Target failed to provide this security,” California attorney general Xavier Becerra says in a statement. “This should send a strong message to other companies: You are responsible for protecting your customers’ personal information.”

Wyoming, Wisconsin and Alabama are the three states not included in the settlement.

“Companies across sectors should be taking their data security policies and procedures seriously. Not doing so potentially exposes sensitive client and consumer information to hackers,” Connecticut AG George Jepsen, who led the investigation with Illinois AG Lisa Madigan, says in a statement cited by Kevin McCoy in USA Today.

“Experts often point to the Target breach as a turning point that alerted American corporations to the idea that managing cybersecurity should be a priority for the C-suite, not only for the IT department,” point out Nicole Hong and Khadeeja Safdar in the Wall Street Journal. “After the breach, Target faced dozens of lawsuits, as well as federal and state investigations into how the company responded to the attack. In 2015, it agreed to pay out millions in settlements to reimburse financial institutions for costs incurred from the breach.”

For its part, Target issued a statement saying, “We’re pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed.”

The cost to its reputation? 

“One thing is clear: a data breach is a PR and financial disaster. Companies often spot the intrusion too late, and respond inadequately, resulting in falling (temporary) sales and journalist outrage,” according to a January 2016 piece by Doug Drinkwater in CSO. But most experts agree that brand damage “can be significantly reduced if a breach is responded to properly,” he reports.