Did Target Ignore Its Security Staff's Data Breach Warnings?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://wallstcheatsheet.com/business/did-target-ignore-its-security-staffs-data-breach-warnings.html/

It's now been more than two months since Target (NYSE:TGT) suffered a
large-scale security breach that resulted in the theft of about 40 million
credit and debit card accounts, as well as 70 million other records with
customer information, but the retailer is still navigating the turmoil that
sprung from the theft. What's worse, sources are now saying that Target was
even warned of its vulnerability ahead of time.

According to the Wall Street Journal, at least two months before hackers
made a mess of Target's business during its most lucrative shopping season,
the company was alerted that its payment card system was not sufficiently
secure. Analysts wanted to review the retailer's payment system because new
types of malicious computer code targeting payment terminals had recently
emerged. Target at least initially brushed off the warnings, acknowledging
that there is always room for error and that it can't be avoided.

Target has an impressive cyber security intelligence team, but the problem
is the unit sees many threats each week and therefore can only prioritize
only so many issues at each of its steering committee meetings. The team
may have been alerted that a suggested review was in order before the
breach occurred, especially because at the time, Target was updating its
payment terminals, but it's still unclear whether the review went through
and whether the warnings were taken seriously.

The Journal reports that the data breach still came as a big surprise to
CFO John Mulligan, who maintained in Washington earlier this month that
that the company wasn't aware the malicious computer code that carried out
the attack was in its system until contacted by federal investigators late
last year. Though more retailers have recognized an increase in
malware-penetrating systems, Target representatives stand by their
assertion that they were unaware of potential vulnerability, even though,
from the company's investigation, it has become more clear that Target's
breach was a sophisticated attack on an understood point of vulnerability.

So now it's up to retailers to decide whether security warnings should
really be taken more seriously, even though many companies are alerted of
numerous threats each week. Though many, if not all, companies have
recognized that new types of malicious computer code targeting payment
terminals are making everyone more vulnerable, Target's attack may prove to
be the final straw to conclusively prove how accessible retailers really
are.

Target customers are paying the price for the hack that resulted from the
theft of access credentials of one of Target's vendors, a refrigeration
contractor in Pennsylvania. The contractor, Fazio Mechanical Services,
confirmed it was breached and is cooperating with the Secret Service
investigation, according to the Wall Street Journal.

Some say that Target did not do enough to wall off its payment systems from
the rest of its vast network, especially because Target is Fazio's only
client with electronic billing, contract submission, and project management
that are managed on a remote basis. Regardless of who is at fault, Target
customers are now the ones dealing with fraudulent charges and millions of
credit and debit cards needing to be replaced by issuers.

Though no one, except maybe for rival Wal-Mart Stores (NYSE:WMT), is happy
this aggravation happened to Target, it at least serves as proof for other
retailers that any and all security warnings should be taken seriously.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!