Years after a massive data breach that cost Target so much in both money and reputation, the company has agreed to a major settlement with 47 states, and Illinois at the lead.
Illinois Attorney General Lisa Madigan announced the $18.5 million settlement Tuesday, calling it the largest of its kind – fitting, as the 2013 breach remains the biggest of any retailer to date.
Headed up by Madigan, the states involved in the investigation wanted reassurance that despite all the data and money lost, something positive can come from the incident for consumer protections.
The breach hit right in the throes of the holiday shopping crunch three-and-a -half years ago, when authorities said cyber attackers accessed Target’s gateway server through credentials stolen from a third-party HVAC vendor around Nov. 12, 2013.
The hackers then used the credentials to access Target’s customer service database, according to Madigan, where they installed malware to capture data including names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, credit card verification codes and encrypted debit pins.
In total, the breach impacted more than 60 million customers, including the payment information for 41 million people nationwide.
What Target lost in money is measurable, with more than $200 million paid back to banks and consumers. But as far as the company’s reputation goes – it’s unclear if the chain will ever recoup the trust that was lost.
"Target was absolutely the tipping point in the public's perception that ID theft is real, and retailers recognizing they could no longer not invest in data security,” Madigan said in an exclusive interview with NBC 5.
“Banks and retailers had to get it together and put into place chip and pin technology that countries in the rest of the world have been using 20 to 25 years,” she added.
The settlement also sets industry standards for better protecting consumers’ information from future breachers.
In particular, Target will now be required to develop and maintain an information security program, data security software and encryption policies.
The company must also hire an executive officer to execute the plan, as well as an independent third-party to conduct security assessments.
Essentially, the retail giant must engage in a constant effort to hack itself – to find the weak spots before the real hackers do.
The 2013 attack came through a simple phishing link that Madigan said exploited existing weaknesses in Target’s system.
"Target was unlucky in that that phishing scam was effective, and someone was able to get into their system and steal millions of people's info,” Madigan said. “But also there were things they should have been doing that even Target knew."
For its part, Target said it has been working with state attorneys general for several years to address issues raised by the data breach, and Madigan said the company has already rolled out most of the required changes.