Target Corp. has admitted that it detected the cyber-attack that led to the theft of over 100 million records containing customers’ personal information long before it took action.
Bloomberg Newsweek reported that Target’s security team in Bangalore, India received security alerts on November 30, 2013, that malicious code had appeared in the company network. The security team then told the company’s home office in Minneapolis about the suspicious activity.
According to a Target spokesperson,
That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up.
Target didn’t disclose the data breach until December 19, when it revealed that 40 million credit and debit card accounts had been compromised. On January 10, 2014, the company revealed that names, phone numbers, street addresses, and email addresses for 70 million customers had been stolen.
Target’s chief information officer has since resigned.
Target’s sales, profit and stock price all plunged in the wake of the massive breach. The company’s fourth-quarter profit for 2013 fell 46% and revenue declined 5.3%.
Many Target customers have switched to cash when shopping at the store. For some people, that means they’re spending less.
Over 80 legal actions have been filed as a result of the breach, but Target said that it plans to dispute any claims from payment card networks that the company was not in compliance with security industry standards.
And that’s the problem right there. “Security industry standards” obviously aren’t good enough if following them can lead to the theft of 100 million customer records.
One problem is that banks and retailers can’t agree about whose problem it is when a store’s computer network is hacked.
The answer is that it’s everyone’s problem, and the solution needs to be one that will work across the board, from ATMs to Amazon.com.
Sony Pictures has bought the rights to a New York Times article about security expert Brian Krebs, who broke the Target news on his blog Krebs on Security.
Sounds like a horror story to us. One that PACid’s dynamic encryption could have prevented.
