COLUMBUS – Target has agreed to pay $18.5 million to Ohio, 46 other states and the District of Columbus as a result of a massive 2013 data breach.
Under the settlement announced Tuesday, the retail giant will also tighten security on its data networks and separate cardholder data from the rest of its computer network, according to the officer of Ohio Attorney General Mike DeWine.
The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.
Cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor, which were used to exploit weaknesses in Target’s system, allowing the hackers to access a customer service database, install malware and capture data, including consumer names, telephone numbers, email addresses, mailing addresses, payment card numbers and expiration dates, and encrypted debit personal identification numbers, DeWine said.
The agreement also requires Target to employ an executive or officer responsible for executing the information security program and to hire an independent, qualified third party to conduct a comprehensive security assessment.
The chain will also maintain software on its network and separate cardholder data from the rest of its computer network. Additionally, the company has agreed to tighten access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.