Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
How Target missed security warning signs: Businessweek
NEW YORK (3/14/14)--A team of security specialists. A $1.6 million malware detection tool. Compliance with payment card industry (PCI) standards. With these tools in place, retail giant Target still suffered one of the biggest data security breaches late last year.
 
According to a report in Thursday's Bloomberg Businessweek, Target didn't react to the red flags that went up--resulting in the compromise of more than 40 million credit and debit card numbers and 70 million addresses, phone numbers and other personally identifiable information.
 
The hackers' activity was detected Nov. 30 not only by the malware detection tool from FireEye but by security specialists in Bangalore. "Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happed at all," Businessweek wrote.  
 
The Target data breach cost credit unions an estimated $30.6 million, according to a survey by the Credit Union National Association (CUNA), and future fraud could increase these costs. Credit unions are among the plaintiffs in more than 90 lawsuits that have been filed against Target.
 
In an email to Businessweek, Target Chairman/President/CEO Gregg Steinhafel stated, "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach ...  we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards."
 
CUNA has asked Congress to address data security relative to merchants, who are not held to the same standards of security as financial institutions. In particular, CUNA suggests all payment system participants are held to comparable levels of federal data security requirements; those responsible for the data breach are responsible for the costs of helping consumers; and ensuring consumers know where their information was breached.
 
The stream of consumer data continues to flow from companies that hold the information of millions of people. Earlier this week, KrebsOnSecurity reported that 200 million consumer records held by Experian had been compromised (March 10).
 
The information was siphoned from Experian, one of the three major U.S. credit bureaus, through a company it had purchased in 2012. That company--Court Ventures--had an agreement to share consumer information with US Info Search and vice versa.
 
Through his connection with Court Ventures, Hieu Minh Ngo, a 24-year-old Vietnamese national, allegedly allowed customers of his identity-theft service to access the data.
 
In the transcript of Ngo's guilty plea in New Hampshire District Court, investigators found that his customers made about 3.1 million inquiries on American consumers over 18 months.
 
KrebsOnSecurity wrote, "At this point the government does not know how many U.S. citizens' [personally identifiable information] was compromised, although that information will be available in the near future," according to U.S. Attorney Arnold Huftalen.
Other Resources

Businessweek
RSS print
News Now LiveWire
.@TheNCUA says late 2Q Call Report filers 2 pay total of $17,111 in penalties.Individual penalty range is $52 to $1,824;median is $256. 2of2
27 minutes ago
All 44 #CUs subject to civil money penalties 4 late filing their 2Q Call Reports have consented to those penalties, says @TheNCUA 1of2
30 minutes ago
Full text of @DuchessCornwall's #ICUDay speech: 'a cause worth championing' http://t.co/UNNJa0uBSS
1 hours ago
#Bank disgust not only factor driving #creditunion millennial membership: Inc. http://t.co/sHnjhQwDKc
1 hours ago
#NewsNow Regulator says large banks could face downsizing for ethics gaps http://t.co/B8SMd0RCNr
1 hours ago