Report: Target Warned, but Ignored Credit Card Hack

John Lister's picture

A major financial news outlet has accused Target of missing clear warning signals that it was being hacked and customer data put at risk. Target is the second largest discount retailer in the United States, next to Walmart.

In December 2013, Target confirmed that hackers had stolen credit card data from 40 million customers. The attack happened approximately 19 days after American Thanksgiving (November 28, 2013). The theft not only affected customers who had used credit cards online, but in stores as well.

According to Bloomberg Businessweek, Target had already set up a security center in Bangalore, India, specifically to look for any sign of suspicious activity. It also had access to specialist software designed solely to find malware on the company's networks. (Source: businessweek.com)

Target claims that it wasn't aware of the hacking until the middle of December, which is when the US Department of Justice informed the company that customers had suffered an unusually high level of card fraud.

Two Hacking Alerts Ignored by Security Team

The Bloomberg report says that Target was aware of a security alert on November 30th, when the hackers 'switched on' the malware to take advantage of the start of the holiday shopping season. A second alert came two days later when hackers updated the malware.

"Based on their interpretation and evaluation of [the] activity, the [Target security] team determined that [the threats] did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different," a spokesperson for Target said. (Source: computerworld.com)

Exactly why Target didn't follow up the alerts is a rather big question. To make things worse, the specialist software it used had an option to automatically delete any malware it spotted, but Target had this option switched off, relying instead on human judgment to deal with any threats.

Target Hacking Could Have Political, Legal Fallout

The lack of immediate action is particularly significant. Although hackers had access to data right away, they didn't extract it until after December 2nd, 2013. That means that if Target had followed up on the alert immediately, it's highly likely no customers would have been affected by the breach.

The fallout of the revelations could be devastating for Target. It's already facing multiple lawsuits from customers who were hugely inconvenienced through their cards being used fraudulently.

Target may also face serious questions from Congress about testimony it gave about the breach, during which it made no mention of the security alerts.

What's Your Opinion?

Were you affected by the Target hack? Has this story in particular put you off from shopping at Target altogether? Does the news that Target may have missed or even ignored the security warning change the way you view Target? Lastly, do you believe there should be tougher laws (and penalties) to help ensure companies are more responsible in handling their customer data?

Rate this article: 
Average: 4.4 (9 votes)

Comments

DavidFB's picture

Certainly interesting, but not a surprise if the software and staff are new to it and have no yardstick for evaluation. They had the misfortune of getting a whopper before they got other samples. But still - the flags should have been clear enough there was a problem. Overworked also?

Another challenge Target faces is Canada. They recently launched stores across Canada but have had large supply problems, didn't do well over the key Xmas shopping season and lost millions.

I've been to a store here once, only because they had something others were sold out of. (ironically) The place seemed half empty, customers were grumpy about it and it wasn't busy. They're not perceived to be a good deal here, yet they only have 4.4% margins.

They now plan to hide the Canadian sales figures. But an analyst says they should do progressively better here this year. We'll see.

malper1942's picture

They may have ignored the warnings n order not to affect the Holiday selling season.

TopDriver's picture

I am an unemployed IT person with over 25 years of experience. I believe part (not all of the reason) is because American CEO's have decided to line their pockets with more money through out-sourcing IT jobs to India and China.

Anyone who has called a Computer Technical Support (IT Support) person that is located in India will tell you that they CONVERSING with the them is a NIGHTMARE. In my experience, people from India (even in the United States) will tell you that they understand the English Language but if you spend significant time talking with them; they don't completely understand our communication and business ethics. THEY DON'T GET IT!

Now, I'll wrap this up. I hope Target goes out of business (I don't wish this on anyone normally)!!! But, between the communication breakdowns within Target Management and their IT department about this hacking, IT SECURITY being out-sourced to INDIA, and the complete disregard that Target has for its customer's credit cards; THEY DESERVE IT!!!!

I WILL NOT PURCHASE another item from TARGET!!!

An Unemployed IT Guy