Target has reached an agreement to settle a multi-state investigation into a 2013 data breach that affected the payment information of more than 41 million customer payment accounts — one of the biggest hacking attacks in U.S. history.
As part of the settlement, Target promised a revamp of its data security practices, and agreed to pay $18.5 million to a number of state attorneys general.
“Today’s settlement with Target establishes industry standards for companies that process payment cards and maintain secure information about their customers,” said Illinois Attorney General Lisa Madigan. “People must remain vigilant about activity on their credit and debit cards as it's not a matter of if but when you are going to be a victim of identity theft or a security breach.”
The probe, led by the Illinois and Connecticut Attorneys General, found that hackers broke into Target's computer system using credentials stolen from a third-party air ventilation vendor in November 2013.
A weakness in Target's system allowed the attackers to then access its customer service database and install software that would capture customer data, which included shoppers' names, phone numbers, email addresses, mailing addresses, and payment information.
"We’ve been working closely with State Attorneys General for several years to address claims related to Target’s 2013 data breach," Target told BuzzFeed News in a statement. "We’re pleased to bring this issue to a resolution for everyone involved."
Target's CEO at the time, Gregg Steinhafel, resigned in the fallout from the breach. The company was also sued in a class-action lawsuit that is currently under appeal.
The settlement, embedded below, requires Target to develop and maintain an information security
program that is "reasonably designed" to protect consumer information and designate someone to ensure this program and information encryption policies are followed.
While Attorneys General who participated in the investigation tout the settlement's tough requirements for improved data security, some industry experts told BuzzFeed News the settlement at minimum formalizes existing standards.
"Everything listed is pretty much standard operating procedure and not onerous," Craig Spiezle, the executive director of the Online Trust Alliance/Internet Society, told BuzzFeed News. "The settlement fine is on the low side, all things considered."
Davi Ottenheimer, who develops security products with MongoDB, told BuzzFeed News that the settlement terms don't clearly lay out an enforcement plan and are redundant.
Retailers must already comply with industry payment security standards that are audited by independent firms and subject to fines. Ottenheimer, who previously worked as a security auditor, said that the enforcement action does not address the failures of the company's auditing process, which should have spotted its security weaknesses.
"If the auditors who did the work did a poor job, this Attorney General document should speak to that," he said. "You can’t be healthy if you don't have good doctors. It doesn’t talk about the doctors at all. It's just number 10 be healthy, number 11 be healthier."