BOISE, Idaho – Idaho joined 46 other states and the District of Columbia in reaching a $18.5 million settlement with Target Corp.

The settlement addresses the company’s 2013 data breach that affected more than 41 million payment card accounts and contact information for over 60 million customers, according to Idaho Attorney General Lawrence Wasden’s office.  In Idaho, the breach affected approximately 140,000 payment card accounts and contact information for approximately 280,000 customers.

The states’ investigation revealed that cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database and install malware on the system and to capture data. The attackers collected consumers’ full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, verification codes, and encrypted debit PINs.

The settlement requires Target to maintain an information security program. Target also must retain an independent third-party to conduct a comprehensive security assessment of the company. Other mandatory provisions of the settlement include:

  • maintaining appropriate encryption policies, particularly as they pertain to cardholder and personal information data;
  • segmenting its cardholder data environment from the rest of its computer network; and
  • undertaking steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

Idaho will receive $192,956 from the settlement funds to cover its fees and investigative expenses.

 Source: The Office of Attorney General Lawrence Wasden