Target officials say that the Securities and Exchange Commission, one of several U.S. agencies investigating the massive data breach at the company in 2013, has decided not to punish Target as a result of the breach.
The Target data breach is one of the larger such incidents ever. The breach affected more than 100 million people and the attackers stole credit and payment card data, email addresses, physical addresses, and other personal information. Target has been hit with a number of suits and claims stemming from the breach, including claims by all of the major credit card companies. In its quarterly financial results filed earlier this week, the company said it has reached a settlement Visa that involves Target paying $67 million to Visa card issuers.
The filing also says that the SEC’s Enforcement Division has moved away from the idea of pursuing an enforcement action against Target.
“The SEC’s Enforcement Division concluded its investigation during the second quarter of 2015 and does not intend to recommend an enforcement action against us,” the filing says.
But that doesn’t mean Target is out of the woods yet. The company said more than 100 lawsuits were filed in courts around the country as a result of the breach. The suits filed in federal court were consolidated and the company has reached a $10 million settlement for that suit. There are still others pending, however, and several other government agencies, including the Federal Trade Commission, still are investigating the breach.
The data breach was the result of a major compromise at Target in late 2013 in which an attacker was able to mov through the company’s network and eventually install memory scraping malware on point-of-sale device.
“Based on our investigation, we believe that the intruder installed malware on our point-of-sale system in our U.S. stores and stole payment card data from up to approximately 40 million credit and debit card accounts of guests who shopped at our U.S. stores between November 27 and December 17, 2013. In addition, the intruder stole certain guest information, including names, mailing addresses, phone numbers or email addresses, for up to 70 million individuals,” the Target financial filing says.
In the wake of the breach, Target has begun rolling out newer POS devices that can handle chip-enabled payment cards and made a number of changes to its security infrastructure.
