Target
Corp.’s computer security staff raised concerns about vulnerabilities in
the retailer’s payment card system at least two months before hackers stole 40 million
credit and debit card numbers from its servers, people familiar with the matter
said.
At least one analyst
at the Minneapolis-based retailer wanted to do a more thorough security review
of its payment system, a request that at least initially was brushed off, the
people said. The move followed memos distributed last spring and summer by the
federal government and private research firms on the emergence of new types of
malicious computer
code targeting payment terminals, a former employee said.
The suggested review also came as Target was updating those
payment terminals, a process that can open security
risks because analysts would have had less time to find holes in the new
system, the employee said. It also came at a difficult time—ahead of the
carefully planned and highly
competitive Black Friday weekend that would kick off the holiday shopping
period.
It wasn’t clear whether Target did the requested review
before the attack that ran between Nov. 27 and Dec. 18. The nature of the
feared security holes
wasn’t immediately clear, either, or whether they allowed the hackers to
penetrate the system.
The sheer volume of warnings that retailers receive makes it
hard to know which to take seriously. Target has an extensive cyber security
intelligence team, which sees numerous threats each week and could prioritize
only so many issues at its monthly steering committee meetings, the former
employee said.
Target declined to confirm or comment on the warning.
The breach has caused headaches for Target customers who
have dealt with fraudulent charges and have had millions of credit and debit
cards replaced by issuers. Investigators and card issuers haven’t quantified
damages from the attack.
No comments:
Post a Comment