Attorney General Pam Bondi News Release
May 23, 2017
Contact: Whitney Ray
Phone: (850) 245-0150
en Español Print Icon Print Version

Settlement Reached with Target Regarding Data Breach

TALLAHASSEE, Fla.—Attorney General Pam Bondi and 47 other attorneys general are announcing the largest multistate data breach settlement achieved to date. The $18.5 million settlement with Target Corporation resolves the states' investigation into the retail company's 2013 data breach that affected more than 41 million customer payment card accounts and contact information for more than 60 million customers. Florida served on the executive committee for the investigation.

“This data breach jeopardized the financial information of millions of Target customers in Florida and across the nation,” said Attorney General Bondi. “Under our multistate settlement announced today, Target consumers are now better protected from cyberattacks.”

The states' investigation found that cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The attackers used the credentials to exploit weaknesses in Target's system that allowed access to a customer service database, installation of malware on the system and the capture of data. Consumer data included full names, telephone numbers, email addresses, mailing addresses, payment card numbers, card expiration dates, CVV1 codes and encrypted debit PINs.

In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer responsible for executing the plan. The company is also required to hire an independent, qualified third-party to conduct a comprehensive security assessment.

As part of the settlement, Target is required to implement security measures including:

    • Maintain and support software on its network;
    • Segment its cardholder data environment from the rest of its computer network;
    • Maintain appropriate encryption policies, particularly as it pertains to cardholder and personal information data; and
    • Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

In addition to Florida, the following participated in this settlement: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.

To view a copy of the settlement, click here.