Target was warned its credit card data was being stolen — and for 12 straight days did nothing about it

Business Insider
Shoppers ride an escalator at a Target Store in Chicago
.

View photo

Bloomberg Businessweek has published a damning cover story on the massive Target hack that compromised the credit and debit card data of 40 million customers last year.

Hackers stole the information stored on the magnetic strip on the backs of credit and debit cards, using malware installed in the company's security and payments systems from Nov. 27 to Dec. 15.

Bloomberg Businessweek says that six weeks before the hack, Target paid $1.6 million to install a malware detection tool on its systems, which was monitored around the clock by security specialists in Bangalore.

When hackers installed malware to extract compromised data on Nov. 30, the security specialists sent an urgent alert to Target's security team in Minneapolis, according to Bloomberg Businessweek. When hackers installed more malware and began extracting data on Dec. 2, Target reportedly received another alert.

Yet Target apparently did nothing.

Moreover, it reportedly ignored alerts from another antivirus system, and also reportedly had declined to use an option that would have automatically deleted malware as soon as it was detected.

The retailer later told Congress that it did not figure out what happened until after the U.S. Department of Justice notified the company about the hack on Dec. 12. In other words, Target was warned that hackers were removing credit card numbers from Target's system and for 12 days straight the company did nothing about it.

Target gave this statement to Bloomberg Businessweek:

Target was certified as meeting the standard for the payment card industry (PCI) in September 2013. Nonetheless, we suffered a data breach. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience. While we are still in the midst of an ongoing investigation, we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards. However, as the investigation is not complete, we don’t believe it’s constructive to engage in speculation without the benefit of the final analysis.

These kinds of hacks are not new.

In 2012, 63 Barnes & Noble stores suffered a data breach in which customer information was stolen. In 2007, discount retailer TJ Maxx learned thieves used its stores' wireless networks to access systems at its headquarters where card data was stored. And hackers installed malware on the internal systems of credit card processor Heartland Payment Systems in 2009 to steal data from 130 million cards.

For more on the hack, check out the Bloomberg Businessweek story >

More From Business Insider

 

View Comments (298)