Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
How Target missed security warning signs: Businessweek
NEW YORK (3/14/14)--A team of security specialists. A $1.6 million malware detection tool. Compliance with payment card industry (PCI) standards. With these tools in place, retail giant Target still suffered one of the biggest data security breaches late last year.
 
According to a report in Thursday's Bloomberg Businessweek, Target didn't react to the red flags that went up--resulting in the compromise of more than 40 million credit and debit card numbers and 70 million addresses, phone numbers and other personally identifiable information.
 
The hackers' activity was detected Nov. 30 not only by the malware detection tool from FireEye but by security specialists in Bangalore. "Had the company's security team responded when it was supposed to, the theft that has since engulfed Target, touched as many as one in three American consumers, and led to an international manhunt for the hackers never would have happed at all," Businessweek wrote.  
 
The Target data breach cost credit unions an estimated $30.6 million, according to a survey by the Credit Union National Association (CUNA), and future fraud could increase these costs. Credit unions are among the plaintiffs in more than 90 lawsuits that have been filed against Target.
 
In an email to Businessweek, Target Chairman/President/CEO Gregg Steinhafel stated, "Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach ...  we have already taken significant steps, including beginning the overhaul of our information security structure and the acceleration of our transition to chip-enabled cards."
 
CUNA has asked Congress to address data security relative to merchants, who are not held to the same standards of security as financial institutions. In particular, CUNA suggests all payment system participants are held to comparable levels of federal data security requirements; those responsible for the data breach are responsible for the costs of helping consumers; and ensuring consumers know where their information was breached.
 
The stream of consumer data continues to flow from companies that hold the information of millions of people. Earlier this week, KrebsOnSecurity reported that 200 million consumer records held by Experian had been compromised (March 10).
 
The information was siphoned from Experian, one of the three major U.S. credit bureaus, through a company it had purchased in 2012. That company--Court Ventures--had an agreement to share consumer information with US Info Search and vice versa.
 
Through his connection with Court Ventures, Hieu Minh Ngo, a 24-year-old Vietnamese national, allegedly allowed customers of his identity-theft service to access the data.
 
In the transcript of Ngo's guilty plea in New Hampshire District Court, investigators found that his customers made about 3.1 million inquiries on American consumers over 18 months.
 
KrebsOnSecurity wrote, "At this point the government does not know how many U.S. citizens' [personally identifiable information] was compromised, although that information will be available in the near future," according to U.S. Attorney Arnold Huftalen.
Other Resources

Businessweek
RSS print
News Now LiveWire
.@TheNCUA open board meeting starts at 10 a.m. ET tomorrow. It is board member J. Mark McWatters' first. Watch @NewsNowLiveWire
7 hours ago
.@CFPB is proposing to oversee larger nonbank auto finance companies for the first time at the federal level.
8 hours ago
.@CUNA's Bill Hampel moderates a discussion on the future of credit unions in the post-100 million member world. http://t.co/kcXykiRQVn
10 hours ago
#Breaking: QE likely to end next month, @federalreserve says #NewsNow #Market http://t.co/u7Fb5l5fwM
11 hours ago
.@Experian study confirms that building a credit history is beneficial to financial marginalized communities. 64M are "credit invisibles"
11 hours ago