Schuette Announces Multistate Settlement with Target Corporation Following 2013 Data Breach

May 23, 2017

LANSING – Michigan Attorney General Bill Schuette today announced that his Corporate Oversight Division – along with attorneys general of 46 other states and the District of Columbia – negotiated an $18.5 million settlement with the Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. Michigan will receive $399,459.58 from the settlement.

“Keeping customers’ personal information safe must be a top priority for all retail companies,” said Schuette. “Target’s data breach broke some of the trust they had built with consumers and hopefully their willingness to change their security practices will restore faith in the company.”  

The settlement represents the largest multistate data breach settlement achieved to date. The breach itself affected more than 41 million customer payment card accounts and contact information for 70 million customers.

As part of the settlement, Target is required to hire an independent, qualified third-party to conduct a comprehensive security assessment to ensure customer data is safeguarded. This settlement only applies to the participating state cases against Target not private lawsuits related to the Target data breach.  Michigan’s portion of the settlement will go to the state General Fund.

Investigation and Settlement Details

The states' investigation found that, on or about November 12, 2013, personal data from millions of customers was stolen from Target stores. The cyber attackers accessed Target’s gateway server through credentials stolen from a third party vendor.  The thieves loaded malware and accessed the data from Target’s point-of-sale systems.  Target’s investigation into the incident revealed that personal information of 70 million customers, including name, addresses, phone numbers; email addresses, payment card numbers, expiration dates, CVV1 codes; and encrypted debit PINs were also stolen.

Michigan worked with 46 states and D.C. to investigate the breach.  That multistate investigation identified numerous failures within Target’s system that may have led to the breach.  

In addition to the monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan.

The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

In addition to  Michigan, the settlement includes Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.

Copy of the settlement document