Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
How Target missed security warning signs: Businessweek
NEW YORK (3/14/14)--A team of security specialists. A $1.6 million malware detection tool. Compliance with payment card industry (PCI) standards. With these tools in place, retail giant Target still suffered one of the biggest data security breaches late last year.
 
According to a report in Thursday's Bloomberg Businessweek, Target didn't react to the red flags that went up--resulting in the compromise of more than 40 million credit and debit card numbers and 70 million addresses, phone numbers and other personally identifiable information.
 
The hackers' activity was detected Nov. 30 not only by the malware detection tool from FireEye but by security specialists in Bangalore. "Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happed at all," Businessweek wrote.  
 
The Target data breach cost credit unions an estimated $30.6 million, according to a survey by the Credit Union National Association (CUNA), and future fraud could increase these costs. Credit unions are among the plaintiffs in more than 90 lawsuits that have been filed against Target.
 
In an email to Businessweek, Target Chairman/President/CEO Gregg Steinhafel stated, "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach ...  we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards."
 
CUNA has asked Congress to address data security relative to merchants, who are not held to the same standards of security as financial institutions. In particular, CUNA suggests all payment system participants are held to comparable levels of federal data security requirements; those responsible for the data breach are responsible for the costs of helping consumers; and ensuring consumers know where their information was breached.
 
The stream of consumer data continues to flow from companies that hold the information of millions of people. Earlier this week, KrebsOnSecurity reported that 200 million consumer records held by Experian had been compromised (March 10).
 
The information was siphoned from Experian, one of the three major U.S. credit bureaus, through a company it had purchased in 2012. That company--Court Ventures--had an agreement to share consumer information with US Info Search and vice versa.
 
Through his connection with Court Ventures, Hieu Minh Ngo, a 24-year-old Vietnamese national, allegedly allowed customers of his identity-theft service to access the data.
 
In the transcript of Ngo's guilty plea in New Hampshire District Court, investigators found that his customers made about 3.1 million inquiries on American consumers over 18 months.
 
KrebsOnSecurity wrote, "At this point the government does not know how many U.S. citizens' [personally identifiable information] was compromised, although that information will be available in the near future," according to U.S. Attorney Arnold Huftalen.
Other Resources

Businessweek
RSS print
News Now LiveWire
September is National Preparedness Month. Read how your CU can get ready in #NewsNow #NPM @AgilityRecovery @Readygov
10 hours ago
Bay Area #creditunions featured in @SFBusinessTimes article http://t.co/SE7W81Ulia
12 hours ago
#NewsNow: 8 CU advisory board, new senior leaders named at @CFPB. http://t.co/EPKgHEDRRN
13 hours ago
#NewsNow: @FTC warns of government impostor scams. http://t.co/MMWBOcrqwJ
14 hours ago
Registration open for @CUNAMutualGroup's Discovery Conference #NewNow http://t.co/CATF0j9ct1
14 hours ago