Beshear: Target pays Kentucky $200,000 in penalties
FRANKFORT, Ky. (WTVQ) – Attorney General Andy Beshear on Tuesday announced that Kentucky has settled with the Target Corporation to resolve an investigation into the retailer’s 2013 data breach that affected 700,000 Kentuckians.
Kentucky’s general fund will receive $209,000 from the multimillion-dollar settlement that includes 47 states and the District of Columbia. The settlement does not affect any private right of action by consumers, and only applies to claims brought by AGs under states’ consumer protection laws to hold companies accountable.
The settlement agreement also requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive officer who is responsible for executing the plan, Beshear said.
“At a time in our nation when cyber-attacks are rampant throughout the public and private sectors, it’s even more critical we have safeguards in place to protect citizens from hacks,” Beshear said. “This settlement requires Target to strengthen its security protocols over private individuals’ information so this type of breach never happens again.”
The settlement represents the largest multistate data breach settlement achieved to date, Beshear said. His office is presenting Kentucky’s portion of the settlement to Franklin Circuit Court today.
The breach affected more than 41 million customer accounts and the contact information of more than 60 million customers nationwide.
The investigation by the states, led by Connecticut and Illinois, uncovered that, on or about Nov. 12, 2013, cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor.
The credentials were then used to exploit weaknesses in Target’s system, allowing access to a customer service database; the installation of malware on the system; and the capture of data – including consumer data comprised of full names, telephone numbers, email addresses and mailing addresses, payment card numbers, expiration dates and CVV1 codes and encrypted debit PINs.
In strengthening its data security protocols, Beshear said the company is required to hire an independent, qualified third party to conduct a comprehensive security assessment, along with numerous other safety measures to protect consumers.
Neighboring states participating in the settlement are Illinois, Indiana, Missouri, Ohio, Tennessee, Virginia and West Virginia.