COLUMBUS, Ohio - Ohio Attorney General Mike DeWine today announced that Ohio has joined 46 other states and the District of Columbia in a settlement with the Target Corporation to resolve a multistate investigation into the company’s 2013 data breach.
The settlement requires Target to develop, implement, and maintain a comprehensive information security program to protect customers’ personal information.
“Protecting the privacy and security of consumers’ personal information is critical,” Attorney General DeWine said. “Identity theft is a big concern for many Ohioans, and it’s one of the reasons we’ve made cybersecurity a priority. This settlement is another way to help safeguard consumers’ personal information and protect them from data breaches and identity theft.”
The states’ investigation, led by Connecticut and Illinois, found that in November 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials then were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, to install malware on the system, and to capture data, including consumer names, telephone numbers, email addresses, mailing addresses, payment card numbers and expiration dates, and encrypted debit personal identification numbers (PINs).
The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
Under the settlement, Target is required to employ an executive or officer responsible for executing the information security program and to hire an independent, qualified third party to conduct a comprehensive security assessment. Target also is required to maintain and support software on its network, to maintain appropriate encryption policies (particularly for cardholder and personal information data), to segment its cardholder data environment from the rest of its computer network, and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts. Target also agrees to pay $18.5 million to the states.
Participating in the settlement are the attorneys general of Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.