US retailer Target has agreed to pay out $18.5m to 47 states and the District of Columbia following a giant 2013 breach which affected an estimated 70 million consumers.
The Assurance of Voluntary Compliance between the retail giant and relevant Attorneys General also sets out various safeguards that the retailer must implement.
These include: segmentation of the cardholder environment from the rest of the network; development of a risk-based pen testing program; risk-based access controls including two-factor authentication; file integrity monitoring and whitelisting.
The pay-out is said to be a record settlement of this kind following a data breach and comes on top of various other costs including payments to banks and credit card companies, investigation, clean-up and remediation and more.
Those costs hovered at around the $300m as of last year, with insurance taking care of around a third.
In some ways, the continued fall-out from one of the biggest ever breaches of its kind should be a warning to firms of the repercussions of poor cybersecurity.
However, Target made $16bn in sales in Q1 2017 alone, making the latest pay-out a mere drop in the ocean.
In fact, the case is a great example of why European regulators decided that maximum fines under the forthcoming GDPR should be 4% of global annual turnover if they exceed €20m. That’s a strategy which should certainly make C-level executives sit up and take notice.
The incident itself came about back in 2013 after an HVAC contractor was breached and its credentials used to Target’s systems. Details from an estimated 40m cards were stolen and a total of 70m customers had their personal information compromised.
"We're pleased to bring this issue to a resolution for everyone involved. The costs associated with this settlement are already reflected in the data breach liability reserves that Target has previously recognized and disclosed”, a Target statement noted.