Author: Warwick Ashford / Source: ComputerWeekly
US retailer Target has agreed to an $18.5m settlement with 47 US states and the District of Columbia over its 2013 data breach that affected tens of millions of customers.
The settlement comes on top of the $202m Target has spent on legal fees and other costs since the breach, according to the company’s most recent annual statement.
Cyber attackers stole the payment card data of more than 41 million customers as well as the contact information of more than 60 million customers.
The settlement was reached with 48 state attorneys general after an investigation led by the attorneys general of Connecticut and Illinois.
The investigation found that cyber criminals had gained access to Target’s gateway server using credentials stolen from a heating, ventilation and air conditioning contractor in November 2013.
The Pittsburgh-based contractor was connected to Target’s systems to provide electronic billing services, contract submissions and project management services.
Once on the gateway server, the cyber criminals were then able to exploit weaknesses in the IT system to access a customer service database and install data stealing malware on the point of sale (PoS) system.
The stolen data included customers’ full names, phone numbers, email addresses, home addresses and payment card data such as expiration dates, encrypted security codes and encrypted PINs.
In March 2014, Target admitted that IT security system had…
Click here to read more
