Newsroom

A 55-page document, which a federal district court judge ordered to be unsealed, indicates that Target waited to respond to alerts about its massive 2013 data breach to avoid interrupting sales promotions on "Cyber Monday" after Thanksgiving.

The document, reported in Credit Union Times, claims that Target ignored breach warnings and alerts on Nov. 24, 25, 26, 30 and Dec. 2 and delayed responding to the alerts because of Cyber Monday. Target finally responded to the issue only after the U.S. Secret Service contacted the company on Dec. 12, 2013.

The document also alleges that Target disabled and removed security features until after "Black Friday" and did not fully implement malware prevention measures. It also says Target implemented a "system freeze" between October 2013 and January 2014 – Target's busiest shopping season and the period in which the breach occurred – which made making adjustments to its security systems more difficult.

Target responded to CU Times with a denial of the allegations, calling the claims "old" and "long disputed." Target had requested the court keep the document sealed, but U.S. Magistrate Judge Jeffrey Keyes on Aug. 13 ordered it to be unsealed. A hearing on the plaintiffs' class certification is set for Sept. 10.

In related news, the Securities and Exchange Commission said it will not penalize Target for the data breach. Target filed a quarterly results document with the SEC which said the agency's investigation concluded between May and July, and that it will not pursue an enforcement action against the company.

NAFCU continues to monitor the case closely, and to push lawmakers to pass a national data security measure requiring retailers to be held to the same standards that financial institutions already follow.