Target Admits It Was Breached
Written by Evan SchumanYears after it was breached by a member of Albert Gonzalez’s cyberthief gang, some 17 months after it’s name was quietly kept out of an indictment where it was referenced and five months after StorefrontBacktalk published its involvement, Target has confirmed that it was the victim of a data breach.
“Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited,” said Target spokesperson Amy Reilly.
“A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved,” Reilly said.
This is a baffler and it’s merely the latest example of the strange data breach disclosure processes that major chains engage in.
Back when Target was alluded to in the initial Boston indictment of Gonzalez, authorities said they kept the chain’s name out of the filings because the chain had yet to make a public announcement.
But years later, as the criminal case appears to be winding down (guilty pleas entered, sentencing imminent), Target decides to reveal the breach. Why not before? Why now? If the publicly-held chain concluded that it had an obligation to confirm the breach, why release almost no details? What public good does that advance?
-Dan Stiel
January 8th, 2010 at 3:34 pm
The question I ask myself is “What did they do differently to stay under the radar and out of the press?” While they state “only a tiny fraction of guest credit and debit card data” were compromised, they process a lot of transactions and a “tiny fraction” could easily be thousands of cards. I know I’ve seen headlines about breaches with fewer than a thousand cards compromised so I go back to my question, what did they do differently?