NEW YORK (3/14/14)--A team of security specialists. A $1.6 million malware detection tool. Compliance with payment card industry (PCI) standards. With these tools in place, retail giant Target still suffered one of the biggest data security breaches late last year.
According to a report in Thursday's Bloomberg Businessweek, Target didn't react to the red flags that went up--resulting in the compromise of more than 40 million credit and debit card numbers and 70 million addresses, phone numbers and other personally identifiable information.
The hackers' activity was detected Nov. 30 not only by the malware detection tool from FireEye but by security specialists in Bangalore. "Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happed at all," Businessweek wrote.
The Target data breach cost credit unions an estimated $30.6 million, according to a survey by the Credit Union National Association (CUNA), and future fraud could increase these costs. Credit unions are among the plaintiffs in more than 90 lawsuits that have been filed against Target.
In an email to Businessweek, Target Chairman/President/CEO Gregg Steinhafel stated, "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach ... we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards."
CUNA has asked Congress to address data security relative to merchants, who are not held to the same standards of security as financial institutions. In particular, CUNA suggests all payment system participants are held to comparable levels of federal data security requirements; those responsible for the data breach are responsible for the costs of helping consumers; and ensuring consumers know where their information was breached.
The stream of consumer data continues to flow from companies that hold the information of millions of people. Earlier this week, KrebsOnSecurity reported that 200 million consumer records held by Experian had been compromised (March 10).
The information was siphoned from Experian, one of the three major U.S. credit bureaus, through a company it had purchased in 2012. That company--Court Ventures--had an agreement to share consumer information with US Info Search and vice versa.
Through his connection with Court Ventures, Hieu Minh Ngo, a 24-year-old Vietnamese national, allegedly allowed customers of his identity-theft service to access the data.
In the transcript of Ngo's guilty plea in New Hampshire District Court, investigators found that his customers made about 3.1 million inquiries on American consumers over 18 months.
KrebsOnSecurity wrote, "At this point the government does not know how many U.S. citizens' [personally identifiable information] was compromised, although that information will be available in the near future," according to U.S. Attorney Arnold Huftalen.