Huffpost Technology
Gerry Smith Headshot

Target Under Fire For Not Revealing Hacks Earlier

Posted: Updated:
TARGET HACKED
Target in New York. Target faces lawsuits from customers after announcing that the credit card information of 40 million customers who shopped at the retailer between December 15 and 27 were stolen. The case files claim that Target failed to maintain reasonable security procedures for customer safety.The company sued by many clients in US courts. If the number of lawsuits increases, a joint case is to be formed | Anadolu Agency via Getty Images

When Target and Neiman Marcus revealed they’d been hacked, they didn’t come forward willingly. The attacks against the retailers only came to light after Brian Krebs, an independent cybersecurity reporter, began asking them questions.

The fact that both merchants didn’t disclose the thefts of customer data until they were pressured highlights what experts say is a troubling culture of secrecy with hacking victims that allows cybercriminals to thrive. Companies that get hacked often keep quiet for weeks or longer, withholding valuable information that could protect consumers and other businesses from similar attacks.

The Secret Service and Justice Department notified Target of the breach on Dec. 13, The New York Times reported Friday. The company disclosed the attack publicly six days later on Dec. 19. Target chief executive Gregg Steinhafel has said the company disclosed the attack after it “confirmed that we have an issue."

It took almost an additional month for investigators to release a report on the Target breach, revealing Thursday that the theft of 40 million credit cards was part of a hacking campaign focused on multiple retailers.

“The fact that it took almost a month for details to come out about what actually hit Target is inexcusable,” Krebs told The Huffington Post. “Target should have told the rest of the retail industry weeks ago."

On Friday, IntelCrawler, a cyber-security firm, said it found that six other retailers also had been hacked with the same piece of malware used in the Target attack. IntelCrawler did not identify the retailers.

Dmitri Alperovitch, chief technology officer of the cybersecurity firm Crowdstrike, said the widespread nature of the attacks highlights why companies should share data about breaches. Companies could tell each other about the IP addresses and malicious code used when they were hacked, allowing others to protect themselves against being targeted.

“Everyone is operating in their own silo,” Alperovitch said. “People don’t share information. If these companies do not come out and say [they were hacked], we have a problem on our hands.”

Neiman Marcus said it discovered on Jan. 1 that cybercriminals had stolen credit card data from its stores to make fraudulent purchases, but waited until Jan. 10 to disclose the attacks publicly. The breach had gone undetected since July, according to The Times.

A Neiman Marcus spokeswoman has said the delay in going public was because the company was investigating the extent of the attack.

Hacking victims have several motives for not talking about breaches publicly. Companies' lawyers typically advise keeping quiet because they face potential lawsuits. The news also may damage stock prices and reputations.

But not every victim is silent. In 2009, Heartland Payments Systems, a payment processor, revealed that millions of credit and debit cards were stolen from its computer network.

Heartland went public, even though its lawyers advised otherwise, because “we felt it was important,” the company’s chief information officer told The New York Times last year.

“Until then, most people tried to sweep breaches under the rug,” Steve Elefant said. “We wanted to make sure that it didn’t happen to us again and didn’t want to sit back while the bad guys tried to pick us off one by one.”

Nearly every state has a law mandating that companies tell customers when their personal data has been compromised. But the laws give companies several weeks to investigate before disclosing a data breach. And there are no rules requiring them to share details about attacks with other businesses.

Krebs said there should be.

“I think it's great there is some information out there now," he said. "But I think it’s ridiculous that it took a story by a journalist to make that happen."

Also on HuffPost:

Close
Brands With The Best Reputations
of
Share
Tweet
Advertisement
Share this
close
Current Slide

Suggest a correction

Around the Web

Millions getting new debit and credit cards after Target hack - Jan ...

Ironic Part Of Target Credit Card Hack - Business Insider

Target Got Hacked Hard in 2005. Here's Why They Let It Happen ...

After hack, Target offers year of free credit monitoring | Security ...

Looks Like Russians Were Behind the Target Hack - Gizmodo

Homeland Security Warns Retailers About Malware Used In Target ...

Why the Target Data Hack Is Just the Beginning - Businessweek

 
From Our Partners