Georgia Joins $18.5M Settlement with Target Corporation over 2013 Data Breach

May 23, 2017

ATLANTA, GA – Attorney General Chris Carr today announced that Georgia has joined 46 other states and the District of Columbia in an $18.5 million settlement with the Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. The settlement represents the largest multi-state data breach settlement to date.
“The state of Georgia considered many factors before joining this multi-state investigation,” said Attorney General Chris Carr. “We want to thank the state attorneys general who partnered with us and our team led by Sr. Assistant Attorney General Dan Walsh and our Consumer Protection Unit. It is important to remember that in a world where cybersecurity threats are evolving, so too must our efforts to combat them. We believe Target is being an amicable partner in correcting this situation by taking the necessary measures to address the issue at hand. Georgia will continue to cross borders and work with private, public, state, local and federal partners to make sure that we eliminate the truly bad actors from the playing field.”

The states' investigation, led by Connecticut and Illinois, found that, around November 12, 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database, install malware on the system and capture various forms of data including the following items:

  1. Full names
  2. Telephone numbers
  3. Email addresses
  4. Mailing addresses
  5. Payment card numbers, expiration dates and CVV1 codes
  6. Encrypted debit PINs

The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.
The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.
Georgia will receive $394,592.86  from the settlement.
In addition to Georgia, and led by Connecticut and Illinois, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Delaware, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.
 Attached, you will find a copy of the settlement document.