Tennessee Joins $18.5 Million Settlement With Target Over 2013 Data Breach

Estimated 770,000 Tennesseans Were Impacted By The Cyber-Attack

  • Wednesday, May 24, 2017

Attorney General Herbert H. Slatery III announced Wednesday Tennessee has joined 46 other states and the District of Columbia in an $18.5 million settlement with Target Corporation to resolve the states' investigation into the retail company's 2013 data breach. The settlement represents the largest ever multistate data breach settlement. 

The states' investigation, led by Connecticut and Illinois, found that in November 2013 cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. The credentials were then used to exploit weaknesses in Target's system, which allowed the attackers to access a customer service database. 

The cyber-attack exposed customer information including names, telephone numbers, email and mailing addresses. The attackers also gained access to payment card information including card numbers, expiration dates, CVV1 codes, and encrypted debit PINs. 

The data breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers. An estimated 770,000 Tennesseans were impacted by this attack. 

“Customers need to know their personal information is secure when they shop,” General Slatery said. “For companies, protecting their customer data should be as important to the transaction as the sale itself. The key to this settlement is taking steps to prevent future cyber-attacks.” 

In addition to monetary payment to the states, the settlement agreement requires Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan. The company is required to hire an independent, qualified third-party to conduct a comprehensive security assessment. 

The settlement further requires Target: 

To maintain and support software on its network; 

To maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; 

To segment its cardholder data environment from the rest of its computer network; 

To undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts. 

As part of the settlement, the state of Tennessee will receive $311,616. 

In addition to Tennessee, other states participating in this settlement include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Texas, Utah, Vermont, Virginia, Washington, and West Virginia and the District of Columbia.

Business/Government
Rain Barrel Distribution Day Will Be May 4
  • 3/18/2024

The Chattanooga Stormwater Division announces its annual Rain Barrel Distribution Day will take place on Saturday, May 4, from 9 a.m.-1 p.m. at the Development Resource Center, 1250 Market St. ... more

February Tennessee Revenues Were Less Than Budget Estimates
  • 3/18/2024

Tennessee Department of Finance and Administration Commissioner Jim Bryson on Monday announced that February revenues were less than budgeted estimates. Overall February state revenues were $1.325 ... more

WCSO To Hold Awards And Recognition Ceremony March 20
  • 3/18/2024

The Walker County Sheriff’s Office will have an awards and recognition ceremony on Wednesday at 6:30 p.m. at the Walker County Civic Center, 10052 N. Highway 27 in Rock Spring. Civilian ... more