For Immediate Release - May 23, 2017

In Largest Settlement of its Kind, Massachusetts to Receive $625,000 After Investigation into Target Data Breach

Payment Part of $18.5 Million Multistate Settlement; Nearly One Million Consumers in Massachusetts May Have Been Affected

BOSTON –  In the largest national data breach settlement to date, Target will pay Massachusetts $625,000 to resolve a multistate investigation into the 2013 data breach that compromised nearly one million credit or debit cards of Target customers in Massachusetts, Attorney General Maura Healey announced today.

The $18.5 million multistate settlement is the result of an investigation by AG Healey’s Office along with 46 other states and the District of Columbia into the 2013 data breach at Target Corporation during which hackers accessed the retail company’s gateway server through credentials stolen from a third-party vendor.

“Consumers should be able to shop without fear that their credit card information will be stolen,” said AG Healey. “This settlement makes clear that we expect retailers to take meaningful steps to protect consumers’ credit and debit card information from theft. Massachusetts will continue to take a leading role in protecting the security of our residents’ data.”

The investigation found that the stolen credentials were used to exploit weaknesses in Target’s system, which allowed the attackers to access a customer service database, install malware on the system and then capture data from credit or debit card transactions at Target stores (including stores in Massachusetts) from Nov. 27, 2013 to Dec. 15, 2013. The stolen data included consumers’ full names, telephone numbers, email addresses, mailing addresses, payment card numbers, expiration dates, security codes, and encrypted debit PINs.

Following reports of a data breach at Target in December 2013, the AG’s Office offered consumers information on how to protect their information against identity theft.

The breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers nationwide. In Massachusetts, the breach compromised information from approximately 947,000 customer payment card accounts and other personally-identifying information of about 1.5 million Massachusetts residents.

Pursuant to the assurance of discontinuance filed in Suffolk Superior Court today, Massachusetts will receive a $625,000 payment. In addition to the monetary payment to the states, the settlement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment.

The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

If you believe that you have been the victim of identity theft, you will need to take additional steps to protect your credit and your personal information. For additional information, consumers may contact the Attorney General’s consumer hotline at (617) 727-8400, or view the Federal Trade Commission's identity theft resource, available at Guidance for businesses on data breaches can be found here

In Massachusetts, this case was handled by Assistant Attorney General Sara Cable, Director of Data Security & Privacy in the AG’s Consumer Protection Division and Assistant Attorney General Jared Rinehimer, also of the AG’s Consumer Protection Division.

In addition to Massachusetts, the other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and the District of Columbia.