May 23, 2017

Attorney General George Jepsen today announced that Connecticut has joined with 46 other states and the District of Columbia in an $18.5 million settlement with the Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. The settlement represents the largest multistate data breach settlement achieved to date.

The states' investigation, led by Connecticut and Illinois, found that, on or about November 12, 2013, cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database; to install malware on the system and to capture data, including consumer data comprised of full names, telephone numbers, email addresses and mailing addresses; payment card numbers, expiration dates and CVV1 codes; and encrypted debit PINs.

The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.

"Millions of consumers in Connecticut and across the country were impacted by this data breach and by what we believe, through our multistate investigation, were Target's inadequate data security protocols," Attorney General Jepsen said. "Companies across sectors should be taking their data security policies and procedures seriously. Not doing so potentially exposes sensitive client and consumer information to hackers. I'm glad that, through this settlement, we are assuring that Target improves its data protections. Target deserves credit for its actions in response to this breach, including its cooperation with our investigation and negotiations that led to this settlement.  I'm also hopeful that this settlement will serve to inform other companies as to what is expected of them in terms of the security of their consumers' information."

"I'm proud that Connecticut continues to lead the way with settlements like this one," said Consumer Protection Commissioner Michelle H. Seagull. "Cyber attackers are constantly evolving, and finding new ways to access our private information. That's why companies need to make sure they're security protocols are up to date, and informed by the newest technology available. We know businesses in Connecticut take consumer's private information seriously, and our door is always open to businesses and consumers who need to discuss ways to prevent their information from being stolen."

In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.

The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

Connecticut will receive $1,012,936 from the settlement, which will be deposited in the state's General Fund.

Other states participating in the settlement include Alaska, Arizona, Arkansas, California, Colorado, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.

Assistant Attorneys General Michele Lucan and Matthew Fitzsimmons, head of the Privacy and Data Security Department, assisted the Attorney General with this matter.

###