Target CEO is being replaced, after a 35-year career with the company. News like that should get the attention of corporate boards looking at overall risk profile and how meaningful a data breach is to the bottom line. Last week, Target announced new Chief Information Officer and additional security enhancements, including the move with MasterCard to incorporate chip-and-PIN technology in its own branded credit card.
UPDATE: Bloomberg BusinessWeek is reporting:
“In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.” http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#r=hpt-tout
“For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”
See post below with description of the Target breach and the aftermath.
Now, it is being reported in the press that employees were aware that an analyst at the retailer wanted to do a more thorough security review of its payment systems’ vulnerability to malware, but the request was brushed off. This was in response to governmental/industry warnings in 2013 about the emergence of new types of malicious computer code targeting payment terminals.
Trade group emerges:
On February 13, 2014, a new trade group headed by former governor Tim Pawlenty was announced. The group is bringing together retail and financial services sectors. The group’s goals include “improving card security technology and promoting the exchange of information in order to help companies ward off cyber attacks.” The partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable. The American Bankers Association, the Consumer Bankers Association, Independent Community Bankers of America, The Clearing House and a number of merchant groups including the National Retail Federation are also participating.