The breach, which Target has said occurred between November 27 and December 15, 2013, affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Cyberattackers had hacked Target’s gateway server with credentials stolen from a third-party vendor, and then installed malware on the system that was used to capture consumer data, including full names, telephone numbers, email and mailing addresses, payment card numbers, expiration dates, CVV1 codes, and encrypted debit PINs.
“New Yorkers need to know that when they shop, their data will be protected,” said Schneiderman, who added that this was the largest multistate data breach settlement to date. “This settlement marks an important win for New Yorkers — bringing over $635,000 into the state, in addition to the free credit monitoring services for those impacted by the data breach, and key security improvements to help protect Target consumers moving forward.”
The data breach hurt Target’s overall sales, store traffic, revenues and profits for months. That led to Target’s then-chairman, president and chief executive officer Gregg Steinhafel resigning in May 2014. He was replaced in August of that year by current CEO Brian Cornell.
Target spokeswoman Jenna Reck said in a statement that the company has been working with state authorities for several years to address claims related to the breach. “We’re pleased to bring this issue to a resolution for everyone involved,” she said. The settlement also requires Target to maintain appropriate encryption policies and take other security steps. The company said it has already implemented those measures.