Newsroom

March 14, 2014

Businessweek: Target warned before breach

March 17, 2014 – According to Bloomberg Businessweek, Target Corporation had multiple warnings that its system had been breached before the credit card information was actually taken – but failed to act.

In a report last week, Businessweek said both a $1.6 million malware detection tool from security firm FireEye and a team of security specialists in Bangalore alerted Target to the exfiltration malware installed in the company's security and payments system on Nov. 30. However, Target's security team in Minneapolis did not react to the warnings.

Target has not disclosed these warnings to Congress or the public. According to the report from Businessweek: "Poring over computer logs, Target found FireEye's alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn't begun transmitting the stolen card data out of Target's network. Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happened at all."

Also last week, NAFCU President and CEO Dan Berger responded to Target's and other retailers' focus on "chip-and-PIN" technology as a way to avoid future hacking by pointing out that the real problem is retailers not taking responsibility: "Retailers continue to attempt to push chip-and-PIN technology as the centerpiece of much-needed data security reforms while continuing to resist any responsibility for breach costs or federal supervision.

"The retailers' zealous insistence on this aspect of security does nothing to afford consumers greater protection; their goal, instead, is to shield themselves from any additional oversight or cost," Berger continued. "In fact, many credit unions are already moving towards adopting EMV and chip-and-PIN technology, but if that switch were completed tomorrow, the merchants would not be equipped to handle it."

NAFCU was the first financial trade association to call on Congress to implement national data security standards in the wake of the massive Target breach, which has cost the credit union industry an estimated $30 million so far.