Delaware.gov logo

Delaware News


Delaware Joins Multistate Settlement With Target Corporation Over 2013 Data Breach

Consumer Protection | Department of Justice | Department of Justice Press Releases | News | Date Posted: Tuesday, May 23, 2017



Delaware has joined with 46 other states and the District of Columbia in a settlement with the Target Corporation to resolve the states’ investigation into the retail company’s 2013 data breach, resulting in increased protection for consumers.

The states’ investigation, led by Connecticut and Illinois, found that, on or about November 12, 2013, cyber attackers accessed Target’s gateway server using credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system to capture data, including consumer personal and credit card data, as well as encrypted debit PINs. The breach affected more than 41 million customer payment card accounts nationwide and contact information for more than 60 million customers.

“Technology has expanded payment options for consumers and retailers, but it also comes with the additional risk that fraudsters can gain access to personal information,” Attorney General Matt Denn said. “This settlement reinforces to retailers that they must take this threat seriously.”

The settlement agreement requires Target to:

• Develop, implement and maintain a comprehensive information security program and employ an executive or officer responsible for executing the plan;
• Hire an independent, qualified third party to conduct a comprehensive security assessment;
• Maintain and support software on its network;
• Maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data;
• Segment its cardholder data environment from the rest of its computer network, and;
• Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

The settlement also requires Target to pay $176,328.16 to the Delaware Consumer Protection Fund, which funds work on consumer fraud and deceptive trade practice matters and other consumer-oriented investigations and legal actions. Target will pay a total of $18.5 million to states in the settlement as a result of the breach.

In addition to Delaware, and lead states Connecticut and Illinois, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.

A copy of the settlement can be seen here.

Deputy Attorney General Stephen McDonald of the Consumer Protection Unit handled the matter for the Delaware Department of Justice.

Recent Stories


Related Topics:  , , ,


Delaware Joins Multistate Settlement With Target Corporation Over 2013 Data Breach

Consumer Protection | Department of Justice | Department of Justice Press Releases | News | Date Posted: Tuesday, May 23, 2017



Delaware has joined with 46 other states and the District of Columbia in a settlement with the Target Corporation to resolve the states’ investigation into the retail company’s 2013 data breach, resulting in increased protection for consumers.

The states’ investigation, led by Connecticut and Illinois, found that, on or about November 12, 2013, cyber attackers accessed Target’s gateway server using credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system to capture data, including consumer personal and credit card data, as well as encrypted debit PINs. The breach affected more than 41 million customer payment card accounts nationwide and contact information for more than 60 million customers.

“Technology has expanded payment options for consumers and retailers, but it also comes with the additional risk that fraudsters can gain access to personal information,” Attorney General Matt Denn said. “This settlement reinforces to retailers that they must take this threat seriously.”

The settlement agreement requires Target to:

• Develop, implement and maintain a comprehensive information security program and employ an executive or officer responsible for executing the plan;
• Hire an independent, qualified third party to conduct a comprehensive security assessment;
• Maintain and support software on its network;
• Maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data;
• Segment its cardholder data environment from the rest of its computer network, and;
• Undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

The settlement also requires Target to pay $176,328.16 to the Delaware Consumer Protection Fund, which funds work on consumer fraud and deceptive trade practice matters and other consumer-oriented investigations and legal actions. Target will pay a total of $18.5 million to states in the settlement as a result of the breach.

In addition to Delaware, and lead states Connecticut and Illinois, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Florida, Georgia, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.

A copy of the settlement can be seen here.

Deputy Attorney General Stephen McDonald of the Consumer Protection Unit handled the matter for the Delaware Department of Justice.

Recent Stories


Related Topics:  , , ,