Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/24/2017
10:50 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Target Reaches Breach Settlement: $18.5 Million Fine, Security Controls

Target to cough up $18.5 million to 47 states in a settlement following its 2013 security breach, which exposed data of millions of customers.

Target will pay a total of $18.5 million to 47 states and the District of Columbia as part of an agreement with the state attorneys general, the New York Times reports.

The settlement for the 2013 security breach that compromised the data of millions of Target customers also mandates that Target implement specific security controls and a governance framework around cybersecurity, and follow certain audit and reporting guidelines.

The $18.5M payout is only a fraction of the Target breach's total cost. Target has shelled out $202 million on legal fees and other costs since the attack, the company reported in its annual statement. However, the fine is significant for a number of reasons.

"It signals the fact that the AGs will continue to use financial penalties to hold companies accountable for data breaches involving both personally identifiable information and other financial information," says Viewpost CSO Christopher Pierson, noting that $18.5M is the largest fine to date for State AGs.

Pierson acknowledges many of the security controls mandated in the settlement reportedly were already n place at Target, but says this signifies a positive direction toward a "more robust program wrapped around controls from a risk and operations perspective."

He calls this settlement a "shot across the bow" for all companies to take security and privacy seriously, and try to mitigate the number and scope of data breaches. While it does not require the CISO report to the board and CEO, it does require reporting throughout the year.

"Given the size, scope, and impact of this particular breach, it appears like an opportunity was missed to have cybersecurity be a direct reporting line to the CEO in a way that supports the cyber risks faced by major businesses today," Pierson says.

Target confirmed its systems were breached in late December 2013. Attackers stole 40 million credit card numbers, as well as their cardholders' names, expiration dates, and CVV codes. Any customer who used a credit or debit card between Nov. 27 and Dec. 15 was at risk.

This settlement marks the end of an investigation into how the hackers broke in. It was determined that attackers took credentials from a third-party vendor, and used them to breach a customer database and install malware that could be used to pilfer more customer data.

Given the attackers' point of entry, Pierson says this breach calls for the resurgence of holistic security programs that combine information assurance, vendor assurance, and procurement/contracting to ensure companies are monitoring their data and who has access to it.

Related Content

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2017 | 11:06:52 PM
Re: Settlement
@Joe. Oh wow, I missed the initial sentence. Regardless, thanks for clarifying.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/24/2017 | 10:56:32 PM
Re: Settlement
@Ryan: Exactly what it says.  The states (and DC).  They were the entities who brought suit under the laws that give them standing to do so.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/24/2017 | 12:15:19 PM
Settlement
Who was that settlement of 18.5M paid to, exactly?
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.