When Target and Neiman Marcus revealed they’d been hacked, they didn’t come forward willingly. The attacks against the retailers only came to light after Brian Krebs, an independent cybersecurity reporter, began asking them questions.
The fact that both merchants didn’t disclose the thefts of customer data until they were pressured highlights what experts say is a troubling culture of secrecy with hacking victims that allows cybercriminals to thrive. Companies that get hacked often keep quiet for weeks or longer, withholding valuable information that could protect consumers and other businesses from similar attacks.
The Secret Service and Justice Department notified Target of the breach on Dec. 13, The New York Times reported Friday. The company disclosed the attack publicly six days later on Dec. 19. Target chief executive Gregg Steinhafel has said the company disclosed the attack after it “confirmed that we have an issue."
It took almost an additional month for investigators to release a report on the Target breach, revealing Thursday that the theft of 40 million credit cards was part of a hacking campaign focused on multiple retailers.
“The fact that it took almost a month for details to come out about what actually hit Target is inexcusable,” Krebs told The Huffington Post. “Target should have told the rest of the retail industry weeks ago."
On Friday, IntelCrawler, a cyber-security firm, said it found that six other retailers also had been hacked with the same piece of malware used in the Target attack. IntelCrawler did not identify the retailers.
Dmitri Alperovitch, chief technology officer of the cybersecurity firm Crowdstrike, said the widespread nature of the attacks highlights why companies should share data about breaches. Companies could tell each other about the IP addresses and malicious code used when they were hacked, allowing others to protect themselves against being targeted.
“Everyone is operating in their own silo,” Alperovitch said. “People don’t share information. If these companies do not come out and say [they were hacked], we have a problem on our hands.”
Neiman Marcus said it discovered on Jan. 1 that cybercriminals had stolen credit card data from its stores to make fraudulent purchases, but waited until Jan. 10 to disclose the attacks publicly. The breach had gone undetected since July, according to The Times.
A Neiman Marcus spokeswoman has said the delay in going public was because the company was investigating the extent of the attack.
Hacking victims have several motives for not talking about breaches publicly. Companies' lawyers typically advise keeping quiet because they face potential lawsuits. The news also may damage stock prices and reputations.
But not every victim is silent. In 2009, Heartland Payments Systems, a payment processor, revealed that millions of credit and debit cards were stolen from its computer network.
Heartland went public, even though its lawyers advised otherwise, because “we felt it was important,” the company’s chief information officer told The New York Times last year.
“Until then, most people tried to sweep breaches under the rug,” Steve Elefant said. “We wanted to make sure that it didn’t happen to us again and didn’t want to sit back while the bad guys tried to pick us off one by one.”
Nearly every state has a law mandating that companies tell customers when their personal data has been compromised. But the laws give companies several weeks to investigate before disclosing a data breach. And there are no rules requiring them to share details about attacks with other businesses.
Krebs said there should be.
“I think it's great there is some information out there now," he said. "But I think it’s ridiculous that it took a story by a journalist to make that happen."