Target reaches $18.5 million settlement on data breach with 47 states, including Arkansas

NEW YORK — Target Corp. has reached an $18.5 million settlement over a large data breach that occurred before Christmas in 2013, New York's attorney general said Tuesday.

The agreement involving 47 states and the District of Columbia is the largest multistate data breach settlement to date, Attorney General Eric T. Schneiderman's office said. The settlement, which stipulates some security measures the retailer must adhere to, resolves the states' probe into the breach.

Arkansas will receive $226,438.37, according to Attorney General Leslie Rutledge's office.

“Target failed to take appropriate action prior to 2013 to properly protect the personal financial information of its millions of customers,” Rutledge said in a news release. “Their decision has left many Arkansans susceptible to identity theft and forced many to close bank accounts and credit cards after their information was stolen. Because of the work of this multistate group, Target must properly protect the data of its customers.”

Target spokeswoman Jenna Reck said in a statement that the company has been working with state authorities for several years to address claims related to the breach.

"We're pleased to bring this issue to a resolution for everyone involved," she said.

Target had announced the breach Dec. 19, 2013, saying it occurred between Nov. 27 and Dec. 15 of that year. It affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers.

The breach forced Target to overhaul its security system and the company offered free credit reports for potentially affected shoppers. Target's sales, profit and stock price all suffered months after the disclosure as shoppers were nervous about their security of their credit cards. The breach also contributed to the departure of Target's then-CEO, chairman and president Gregg Steinhafel, who resigned in May 2014. CEO Brian Cornell took the helm in August 2014.

An investigation by the states found that in November 2013, scammers got access to Target's server through credentials stolen from a third-party vendor. They used those credentials to take advantage of holes in Target's systems, accessing a customer service database and installing malware that was used to capture data, including full customer names, telephone numbers, email and mailing addresses, credit card numbers, expiration dates and encrypted debit PINs.

The settlement requires Target to maintain appropriate encryption policies and take other security steps, though the company has already implemented those measures. Reck said the costs of the settlement are reflected in the reserves that Target has previously disclosed.

Upcoming Events