BreachExchange mailing list archives
Did Target Ignore Its Security Staff's Data Breach Warnings?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 17 Feb 2014 18:56:32 -0700
http://wallstcheatsheet.com/business/did-target-ignore-its-security-staffs-data-breach-warnings.html/ It's now been more than two months since Target (NYSE:TGT) suffered a large-scale security breach that resulted in the theft of about 40 million credit and debit card accounts, as well as 70 million other records with customer information, but the retailer is still navigating the turmoil that sprung from the theft. What's worse, sources are now saying that Target was even warned of its vulnerability ahead of time. According to the Wall Street Journal, at least two months before hackers made a mess of Target's business during its most lucrative shopping season, the company was alerted that its payment card system was not sufficiently secure. Analysts wanted to review the retailer's payment system because new types of malicious computer code targeting payment terminals had recently emerged. Target at least initially brushed off the warnings, acknowledging that there is always room for error and that it can't be avoided. Target has an impressive cyber security intelligence team, but the problem is the unit sees many threats each week and therefore can only prioritize only so many issues at each of its steering committee meetings. The team may have been alerted that a suggested review was in order before the breach occurred, especially because at the time, Target was updating its payment terminals, but it's still unclear whether the review went through and whether the warnings were taken seriously. The Journal reports that the data breach still came as a big surprise to CFO John Mulligan, who maintained in Washington earlier this month that that the company wasn't aware the malicious computer code that carried out the attack was in its system until contacted by federal investigators late last year. Though more retailers have recognized an increase in malware-penetrating systems, Target representatives stand by their assertion that they were unaware of potential vulnerability, even though, from the company's investigation, it has become more clear that Target's breach was a sophisticated attack on an understood point of vulnerability. So now it's up to retailers to decide whether security warnings should really be taken more seriously, even though many companies are alerted of numerous threats each week. Though many, if not all, companies have recognized that new types of malicious computer code targeting payment terminals are making everyone more vulnerable, Target's attack may prove to be the final straw to conclusively prove how accessible retailers really are. Target customers are paying the price for the hack that resulted from the theft of access credentials of one of Target's vendors, a refrigeration contractor in Pennsylvania. The contractor, Fazio Mechanical Services, confirmed it was breached and is cooperating with the Secret Service investigation, according to the Wall Street Journal. Some say that Target did not do enough to wall off its payment systems from the rest of its vast network, especially because Target is Fazio's only client with electronic billing, contract submission, and project management that are managed on a remote basis. Regardless of who is at fault, Target customers are now the ones dealing with fraudulent charges and millions of credit and debit cards needing to be replaced by issuers. Though no one, except maybe for rival Wal-Mart Stores (NYSE:WMT), is happy this aggravation happened to Target, it at least serves as proof for other retailers that any and all security warnings should be taken seriously.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Did Target Ignore Its Security Staff's Data Breach Warnings? Audrey McNeil (Feb 19)