Menu

The Latest / Data Security News

US Retailer Target Allowed Hacking to Happen

December 30, 2014

On December 2, 2014, Minnesota Federal Judge Paul A. Magnuson ruled that banking institutions could continue with their lawsuit against Target for direct negligence and failing to protect its customers’ data.

news-banner-16.12.2014-400

In his ruling against Target’s bid to dismiss the lawsuits, Magnuson wrote that although hackers caused harm, Target allowed it to happen.

According to Magnuson, the plaintiffs’ claim that Target deliberately turned off one of the security features that would have prevented the breach, is enough to pursue a direct negligence case. The following day, Magnuson also ruled that the consumers’ case against Target could also continue.

Historically, banks shoulder the financial cost of hacking and were responsible for replacing compromised cards. (This is subject to change once EMV chip and pin becomes compulsory in the US.) Until then, the recent ruling sends a clear message to merchants that information security affecting consumers is the responsibility of businesses as much as it is the banks.

And if there is evidence of negligence in securing their system, banks have the right to sue for compensation.

Global Data Sentinel’s encryption always-on policy, provides foolproof data protection on top of traditional security systems, ensuring that regardless of when a threat is detected, the data will remain safe and secure at all times.

Although it is early days, if banks are successful in the case against Target, it will open the floodgates to others affected by hacking. This would mean more pressure on merchants to keep systems safe & secure.

Failure to do so would mean massive financial loss. Just replacing a compromised card can cost $10 each. With 40 million cards compromised during Target’s hacking, that’s roughly $400 million in card replacement alone. Of course, for big businesses like Target, this only means a large dent in profits. However, if something similar happens to smaller merchants, it could lead to bankruptcy.

Criminal hacking is a big drain to the US economy. In 2013, Reuters reported that hacking is costing the country over $100 billion each year. With the amount and type of data they process, retailers are favorite targets for hackers. And since retail systems involve third party (customer) interaction, they are also the most vulnerable to attacks.

This vulnerability makes it imperative for retailers to keep system security tight, not only to protect customers, but ultimately the business. Target tried to do exactly that, but unfortunately, they overlooked one link in the security system, the human link.

This omission cost them dearly. Target employs more than 300 information security staff. Six months before the hacking scandal in 2013, it also invested $1.6 million on software tools to detect malware and raise alerts. This additional security layer also has an option to delete malware without human intervention. However, human errors made all these preventive measures futile.

Alerts cannot replace the need for absolute data security

An investigation revealed that on November 27, Target’s information security team in Minnesota was alerted to a malware attack. However, the team ignored the alert.

On December 2, the team received more alerts when attackers installed another version of the malware on Target’s system. They also ignored these. The investigation further revealed not only did Target’s security team ignore the alerts; they also disabled the system’s security features that automatically deleted malware.

The result was the largest payment-card security breach in United States retail history, and a landmark judicial ruling that would put more legal responsibility on retailers to keep systems secure from hackers.

This ultimately highlights the flaws in many of the security systems businesses & retailers have in place today, relying on human intervention when intrusions are detected. Many times, this intervention comes too late, and the damage has already been done.

Global Data Sentinel’s encryption always-on policy, provides foolproof data protection on top of traditional security systems, ensuring that regardless of when a threat is detected, the data will remain safe and secure at all times.