Global Navigation
Office of The Attorney General
The State of New Jersey Office of The Attorney General (Dept. of Law & Public Safety) The State of New Jersey NJ Home Services A to Z Departments/Agencies OAG Frequently Asked Questions
Services A to Z Departments/Agencies OAG Frequently Asked Questions
OAG Home
OAG Contact
spacer
Back to News Releases
OAG Home Attorney General's Biography
Attorney General's Biography
spacer spacer spacer
   
 
spacer spacer spacer
spacer spacer spacer
For Immediate Release: For Further Information:
May 23, 2017

Office of The Attorney General
- Christopher S. Porrino, Attorney General
Division of Law
- Michelle Miller, Acting Director
Division of Consumer Affairs
- Steve C. Lee, Director
Media Inquiries-
Lee Moore
609-292-4791
spacer
Citizen Inquiries-
609-984-5828
spacer
spacer spacer spacer
spacer
Attorney General Porrino Announces Multi-State Settlement Resolving Investigation of Target Corp.’s Own Role in Data Breach
spacer
spacer spacer spacer
spacer
spacer
spacer spacer spacer
spacer

TRENTON – Attorney General Christopher S. Porrino announced today that Target Corp. has agreed to pay New Jersey, 46 other states and the District of Columbia a total of more than $18 million to resolve a multi-state investigation into a data breach that compromised the payment card information of more than 41 million shoppers nationwide.

Target’s $18.5 million settlement payout represents the highest valuation of a multi-state data breach investigation to date. The previous high amount was $9.75 million resulting from a 2009 settlement with TJX Companies, Inc.

In addition to the monetary terms, Target has agreed to enact a variety of cyber-security reforms designed to prevent similar data breaches in the future. The reforms include creation of an Information Security Program headed by an executive or officer whose chief role will be to implement the program and advise Target’s CEO and Board of Directors on privacy and security issues.

The November 2013 cyber-intrusion was carried out by attackers using credentials stolen from a third-party Target vendor. The States’ investigation found that the stolen credentials were used to exploit numerous security vulnerabilities within Target’s data storage network, allowing the attackers to access a customer data base and install malware on Target’s system that captured payment card information.

“This is an important settlement for New Jersey residents, not so much because of what it requires Target to pay – although the payment amount is historic -- but because of what it requires Target to do,” said Attorney General Porrino.
“As a result of this settlement,” Porrino said, “Target must adopt new policies and procedures that will strengthen its cyber security efforts and better protect the personal information of its customers here and across the country. We’re gratified to have played an integral role in negotiating this important outcome on behalf of New Jersey consumers.”

New Jersey, lead state Connecticut, and six other states formed the multi-state Executive Committee that investigated Target’s own role in the November 2013 data breach. Under terms of the settlement announced today, New Jersey will receive a total payout of $680, 411 from Target.

The security breach at issue compromised a data base that included contact information for more than 60 million Target customers nationwide, including full names, telephone numbers, e-mail addresses, mailing addresses, payment card numbers, expiration dates, CVV1 codes and encrypted debit PINS.

“Major retailers – including Target – routinely ask their customers to entrust them with personal information in service of payment card contracts, mailing lists, e-coupons and other promotions,” Attorney General Porrino said “But, if retailers are going to solicit such personal information and retain it in a data base, they have a duty to be vigilant about securing that data base. The terms of this settlement are designed to ensure that happens going forward.”

In addition to the requirement that Target create a new Information Security Program, the settlement contains approximately a dozen other injunctive terms designed to shore up the retailer’s cyber-security efforts. Among those injunctive terms are requirements that Target develop policies and procedures to ensure its vendors are complying with the Information Security Program, encrypt consumer payment card information throughout the course of a retail transaction, and segment its cardholder data environment from the rest of its computer network.

The injunctive terms also require that Target adopt, where possible, improved, industry-accepted payment card security technologies such as “chip” and “PIN” technology, and that the retailer take steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts. Target is also required under the settlement to obtain an Information Security Assessment from a third-party assessor, and to make the report on that assessment available to the states.

Deputy Attorney General Elliott M. Siebers, assigned to the Division of Law’s Government & Healthcare Fraud section, and Deputy Attorney General Patricia Schiripo, Assistant Chief of the Consumer Fraud Section, handled the Target matter on behalf of the State.

Follow the New Jersey Attorney General’s Office online at Twitter, Facebook, Instagram & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.

spacer
spacer spacer spacer
spacer
 
News Index Page I top
 
Executive Assistant Attorney General
Attorney General's Message Ask the Attorney General
Contact OAG About OAG
OAG News OAG Frequently Asked Questions
OAG Library Employment
OAG Grants Proposed Rules
OAG History OAG Services A-Z
Statutes
OAG Agencies / Programs / Units
Other News Pages Otras Noticias en Español Division of NJ State Police Division of Law News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Gaming Enforcement News
NJ State Police News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Elections News Division of Gaming Enforcement News Office of Government Integrity News
   
Contact Us | Privacy Notice | Legal Statement | Accessibility Statement
NJ Home Logo
Departmental: OAG Home | Contact OAG | About OAG | OAG News | OAG FAQs
Statewide: NJ Home | Services A to Z | Departments/Agencies | FAQs
Copyright © State of New Jersey
This page is maintained by OAG Communications. Comments/Questions: email or call 609-292-4925
OAG Home OAG Home NJ State Police News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Elections News Division of Gaming Enforcement News Office of Government Integrity News Click to Enlarge Image Click to Enlarge Image Click to Enlarge Graphic Click to enlarge chart Click to enlarge map Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click on image to enlarge... Click on image to enlarge... Click to enlarge...Click to enlarge...Click to enlarge...Click to enlarge... Click to enlarge...