Idaho’s settlement with Target over data breach won’t give money to victims

File: This photo was taken at a store in Philadelphia.
File: This photo was taken at a store in Philadelphia. Associated Press

Target Corp. agreed to beef up its cybersecurity and pay $18.5 million as part of a 47-state settlement connected to a 2013 data breach that affected millions of U.S. customers.

Idaho will receive $192,956 from the settlement to cover its fees and investigative expenses, Idaho Attorney General Lawrence Wasden said.

None of the funds are going to affected shoppers, who may have been able to seek recompense through other means. Target is still trying to hash out a $10 million settlement in a consumer class-action lawsuit connected to the breach. The retailer paid out $39.4 million in 2015 to banks and credit unions who said they lost money and were put at risk as a result of the breach. That settlement followed a $67 million deal Target struck with Visa card issuers that year.

The states’ investigation found that the breach compromised more than 41 million payment card accounts, including 140,000 in Idaho, Wasden said in a news release. The breach also compromised contact information for more than 60 million customers, including about 280,000 in Idaho.

The settlement requires Target to maintain a cybersecurity program and retain an independent third-party to conduct a comprehensive security assessment of the company.

The states’ investigation found that hackers breached a system known as a gateway server using credentials stolen from a third-party vendor. The hackers then accessed a customer service database and installed malware on the system to capture customers’ full names, telephone numbers, email and mailing addresses, card numbers, expiration dates, verification codes and encrypted debit personal identification numbers.

Target also agreed to enhance security measures, including segmenting its cardholder data from the rest of its network, and to bolster password policies.

The agreement is the largest multistate data-breach settlement reached to date, according to the New York Attorney General’s Office. The fallout from the breach contributed to the ouster of Gregg Steinhafel as CEO in 2014. He was replaced by Brian Cornell, a former PepsiCo executive.

Zach Kyle: 208-377-6464, @ZachKyleNews