Michigan to receive nearly $400K in Target settlement

New York — Michigan Attorney General Bill Schuette says the state will receive nearly $400,000 from an $18.5 million settlement with Target Corp. to resolve a multi-state probe into the discounter’s pre-Christmas data breach in 2013.

Target’s breach affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. The breach forced Target to overhaul its security system. The company offered free credit reports for potentially affected shoppers.

The settlement requires Target to maintain appropriate encryption policies and take other security steps.

Schuette said Tuesday in a statement that the state’s proceeds from the settlement will go to its General Fund.

The settlement involving 47 states and the District of Columbia is the largest multistate data breach settlement to date, N.Y. Attorney General Eric T. Schneiderman’s office said.

Target spokeswoman Jenna Reck said in a statement that the company has been working with state authorities for several years to address claims related to the breach.

“We’re pleased to bring this issue to a resolution for everyone involved,” she said.

The breach forced Target to overhaul its security system and the company offered free credit reports for potentially affected shoppers. Target’s sales, profit and stock price all suffered months after the disclosure as shoppers were nervous about their security of their credit cards. The breach also contributed to the departure of Target’s then-CEO, chairman and president Gregg Steinhafel, who resigned in May 2014. CEO Brian Cornell took the helm in August 2014.

Target’s data breach was the first in a series of scams that hit other retailers including SuperValu and Home Depot. It forced the retail industry, banks and card companies to increase security and sped the adoption of microchips into U.S. credit and debit cards.

An investigation by the states found that in November 2013, scammers got access to Target’s server through credentials stolen from a third-party vendor. They used those credentials to take advantage of holes in Target’s systems, accessing a customer service database and installing malware that was used to capture data, including full customer names, telephone numbers, email and mailing addresses, credit card numbers, expiration dates and encrypted debit PINs.