As banks large and small line up to bring a lawsuit against Target Corporation (NYSE:TGT) over its data breach that is said to have cost the financial institutions millions, a new revelation that Target knew about the breach of its internal security system before the data was transmitted to computer thieves could complicate the retailer’s legal defense.
Target said to have ignored warning of security breach
According to a report in Bloomberg, Target Corporation (NYSE:TGT) received then ignored warnings from a security software application it had recently installed. Close to 40 million people had vital personal information, such as credit card numbers, stolen days later.
The FireEye software flagged the infectious malware on Nov. 30, according to the report, before customer data had been transferred to the computer thieves. Target Corporation (NYSE:TGT) delayed acting on the warning, giving the computer thieves enough time to abscond with customer information. An automatic setting that could have automatically deleted the malware virus was turned off.
Target Corporation (NYSE:TGT) issued a statement to NBC news following the Bloomberg article, but it did not address the timing of when the security breach was first discovered and when they acted. “Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team,” the statement read. “That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different.”
Report doesn’t mince words
The Bloomberg report doesn’t mince words when discussing the issue. “Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target Corporation (NYSE:TGT) stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”
Target Corporation (NYSE:TGT)’s CEO issued an e-mail statement to Bloomberg: “Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.”
Another explanation of why the breach occurred, circulated in initial reports, said a top Target Corporation (NYSE:TGT) security executive had departed the company the month previous, and the software was relatively new and un-trusted.
As reported in ValueWalk, Target Corporation (NYSE:TGT)’s chief technology officer had recently resigned in wake of the breach.