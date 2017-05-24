HELENA – Target announced on Tuesday that the company had reached an $18.5 million settlement over the massive data breach that occurred before Christmas of 2013, the agreement involved 47 states including Montana.

The settle resolved states’ investigation into the retail company’s 2013 data breach. It was the largest multistate data breach to date.

The Department of Justice released a statement on Tuesday regarding the settlement.

“(Tuesday’s) settlement is a step in the right direction toward restoring the confidence Montanans should expect when they shop, especially at major retailers, that their payment card information and personal data is safe,” Montana’s Attorney General Tim Fox said.

The statement said, the investigation found that in November of 2013 cyber attackers accessed Target’s gateway server through credentials stolen from a third-party vendor. The attackers were able to access customer data through the customer service database which included full names, telephone numbers, email addresses and mailing addresses; payment card numbers, expiration dates and CVV1 codes; and encrypted debit PINs.

The DOJ office said it’s estimated that between 150,000 and 210,000 Montana consumers may have been affected by the breach. Montana will receive nearly $178,600 from the settlement.

As a whole, the breach affected more than 41 million customer payment card accounts and contact information for more than 60 million customers.

“Target’s failure to safeguard customer information resulted in exposure to identity theft for thousands of Montanans during the holiday shopping season four years ago,” Attorney General Tim Fox said.

The settlement will not only include payment to the states, but also will require Target to develop, implement and maintain a comprehensive information security program and to employ an executive or officer who is responsible for executing the plan.

The company is also required to hire an independent, qualified third-party to conduct a comprehensive security assessment.

The settlement further requires Target to maintain and support software on its network; to maintain appropriate encryption policies, particularly as pertains to cardholder and personal information data; to segment its cardholder data environment from the rest of its computer network; and to undertake steps to control access to its network, including implementing password rotation policies and two-factor authentication for certain accounts.

Besides Montana, the other states affected are Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington and West Virginia and the District of Columbia.