Target settles with 47 states over its 2013 data breach
It's paying $18.5 million and promising to mend its security habits.
Believe it or not, Target still isn't done paying the price for the 2013 breach that exposed the shopping data of tens of millions of customers. The retailer has reached a settlement with 47 states (and the District of Columbia) that will have it pay a collective $18.5 million and institute key reforms. It'll have to separate its card data from the rest of its network, further control access to its network (such as by implementing two-factor authentication) and run "appropriate" encryption policies. It'll also have to implement a "comprehensive" info security program with a dedicated executive, and hire an outside firm for security reviews.
As far as settlements go, this is one of the smaller examples. Target is shelling out more than the $10 million it paid to individual victims, but the current settlement is peanuts compared to the $39 million paid to banks and the $67 million Visa agreement. It's barely comparable to the $19 million MasterCard payout.
However, this will likely serve as yet another reminder that lax security (such as Target's decision to ignore hack alerts for 12 days) can have long-lasting consequences for retailers, let alone customers. It also represents a closure of sorts Target can spend less time dealing with the fallout from the breach and focus more on reducing the chances of a repeat disaster.
