Target Could Be Liable for $3.6 Billion from Security Breach

Status
Not open for further replies.
Can't wait to hear more details about this, it isn't every day that such a monumental tech failure happens. Did it go out with a firmware update on the POS systems? On the card readers themselves? Did a disgruntled employee let them in? Or was it a group that was actually competent at pulling a stunt off (unlike certain other nameless organizations that claim they can take down the entire internet).

Funny thing is that I was in a Target during that time to do some holiday shopping, but as their prices were too high, and I couldn't find exactly what I was looking for I happened to go elsewhere. But $15 less and I would be in the thick of this along with 39,999,999 other people.
 
I concur with @Martell1977, this seems to be over the top. Not trying to protect the negligent corporation here, but first of all, Target provides services to its customers that represents a true value, and they are not the ones who stole the information. Granted, they failed to protect it in the face of an attack, yet that is not unlike burglars breaking into a house and swiping all the credit cards they find. One could always argue inadequate property protection and claim that a better alarm system etc. could have thwarted the intrusion, but both sanity and common sense dictate that the house owner is the victim, while the perpetrator must be held liable for the crime. The owner may have been negligent, but this must be proven beyond doubt and it's the lesser of the two evils here. Second, the vulturous scapegoatry that typically surrounds such class action lawsuits is pretty disgusting.
 
A security breach is one thing but if the perpetrators when caught were publicly executed then it may discourage similar behaviour from other criminals but if caught they will probably get an 18 month sentence in a low security prison. Instead of pushing for more severe sentences for the criminal element we have a bunch of lawyers licking their lips at the money they can get from this debacle. Lets catch and punish the offenders so severely they won't want to do it again.
 
Never saw the cash registers at Target, but if they're like I think they're embedded PCs imaged through pxe running Windows XP with full internet access updated over Active Directory. Sounds easy enough to inject some malware in there.
 
In all of what has been said about this, the glaring omission seems to be any lack of encryption, or safeguarding of the data, should it fall afoul of it's intended use. I suspect either Target royally overlooked security, or the data was cleverly captured before being obfuscated.
 
re: Otacon's comment.
How is the government to blame?

The BANKS are the ones that have been resisting the switch to more secure chip embedded credit cards. While Target may shoulder some of the blame for this attack (very hard to determine due to lack of details thus far) the banks are the ones that have to this point determined that having easy to clone cards is better than paying for more secure cards.

That's rather like deciding it's time to start locking the vault only after you've been robbed a few times.
 
I highly doubt this is the end of Target, and i also doubt very much that Target will pay any significant fine or anything related to this. This could of happened to any store and this is probably just the beginning for these guys who are sending viruses and malware. Seems like somebody gets hit at least once or twice a year these days. Sony got hit not too long ago, and i think Sears got hit last year amongst others.
 
"A security breach is one thing but if the perpetrators when caught were publicly executed then it may discourage similar behaviour from other criminals but if caught they will probably get an 18 month sentence in a low security prison. Instead of pushing for more severe sentences for the criminal element we have a bunch of lawyers licking their lips at the money they can get from this debacle. Lets catch and punish the offenders so severely they won't want to do it again."

complete bull. I know savvy computer users that have done nothing wrong, except clicking around in their browser and finding something wrong, an 'exploit' and getting 10+ year prison sentences.

If you knew anything about what you are talking about, you would know there are already countless unjust and very harsh penalties for finding and REPORTING very simple computer vulnerabilities. 18 months low security my ass. Considering how many talented young people I know in prison for 'hacking', it's no wonder this is going to likely turn up a foreign attack. What about that?
 
Purty darn stupid. If every company in the US that accepts credit cards is held liable for not having top-notch cyber security, then credit cards will simply stop being effective. Gross negligence, possibly a cause for a suit. But being the victim of a crime after taking reasonable precautions, no.

I have, of course, no evidence that Target did not take reasonable precautions. Just saying "if."
 
I think some of you may have missed, "If retailers are found violating the standard, they’re fined $50 to $90 per cardholder data compromised". That's if they are found violating the standard..

On top of that not notifying the people effected in a reasonable amount of time.

Now from what I gather these are just allegations at the moment, but if found to be true it's completely on target in every way.

Though I will agree that only lawyers will be the ones really getting paid while the people actually affected (depending on their bank, with mine I doubt I would have an issue) may have to jump through some hoops to get everything taking care of.
 
if they don't end up going bankrupt over this mess they will surely be in a lot of financial trouble after this. let this be a strong message to retailers that when you handle peoples hard earned money you better have top notch security to protect their assets.
 
I live in Minnesota where Target is based. It would be a huge blow to this state if Target went out of business. I've always preferred going to Target anyways. They may not always have the same prices and selection as Walmart, but everything else is better.
 
@Typicalgeek and Ocatcon

Merchants are the party that are resisting the chip card. I am a manager for a midsized Credit Union and oversee the plastics department. Stock would be more expensive, but financial institutions eat most of the fraud costs these days - the added stock cost would be next to nothing vs fraud expense. So you are both wrong.

And let's all calm down. The market for CC information is much smaller these days. In the past a breach like this would be sold to European criminals, but since most of Europe is on the chip... there will likely be some fraud, but just cause you used your card at Target doesn't mean it will affect you. Plus zero cardholder liability blah blah blah. Media loves this crap.
 
@antdes45. Why would you say such a thing? You obviously have no clue about larger networks, or POS systems. Their POS systems may infact be Windows Embedded, but they are highly modified OS installs. Not to mention, the POS network would be nowhere near internet facing. And when it does go out to connect to the banks for their transactions, it would be over special circuts, like MPLS, Managed T1's, etc. Locked down with proper ACLs. I know for a FACT that most ATMs from NCR run Windows NT 4.0 (recently "upgraded" from OS2/Warp). Yes, it's windows foundation, but they are highly specialized, custom built HALs, and drivers for the hardware they hook up to it. You can't take a dispenser from an ATM, and hook it up to your home Windows machine, and have the system detect an NCR 5886 series cash dispenser.

This BS from lawyers and people down in the states sueing over every damn little thing is ridiculous. All companies will get hacked. WILL! It's not If, it's when. There will always be someone who finds a way to circumvent protections in place. The next thing we hear is that some family in Oklahoma is sueing their kids school because some other kid got better grades than their kid, and it made them feel bad. Give your heads a shake. Common sense is sorely lacking in this greedy capitalist world.
 
Why does ANY retailer feel compelled to keep personal information about their customers ? What they should have done was process the payment, issue goods and be done with that transaction (credit card holder information is NOT needed for bookkeeping purposes). Instead they decided to hoard information that is completely irrelevant to their business and thanks to their crappy security and gross mishandling of this private information they should damn well be held accountable and cough up the fine (+ damages to everyone affected). They are just as guilty (if not more) than the perps who committed the cyber-break-in.
 
@junkieXL actually, it would be like a houseowner agreeing to care while getting paid for someone else's valuable goods, let's say diamonds, then leaving a window unlocked while they leave the house. The house owner would be liable for those missing diaomonds.
 
@gondor, Companies keep the information for several reasons. They track spending types and amounts, along with what is being bought to watch for trends, this way they can keep stock of more popular items. A major reason is that they keep the information for fraud security, when someone claims fraudulent purchases were made on their cards, the companies will have a a fairly complete picture if the persons spending history.

Visa itself does this to prevent fraud. If your card suddenly starts making large purchases and their data shows you rarely or never make large purchases, your account is flagged. I had my Visa card locked because it had been a while since I made a large purchase and then ordered $1200 in parts on Newegg.

That being said, Target should have had enough respect for the sensitivity of the data and taken every reasonable precaution. This only happened to Target, so far, so it makes me wonder if there was something specifically different about their system that made the vulnerable, or if this was a general security hole. They still haven't stated what specifically happened, from what I've read about it.
 
"A security breach is one thing but if the perpetrators when caught were publicly executed then it may discourage similar behaviour from other criminals but if caught they will probably get an 18 month sentence in a low security prison. Instead of pushing for more severe sentences for the criminal element we have a bunch of lawyers licking their lips at the money they can get from this debacle. Lets catch and punish the offenders so severely they won't want to do it again."

complete bull. I know savvy computer users that have done nothing wrong, except clicking around in their browser and finding something wrong, an 'exploit' and getting 10+ year prison sentences.

If you knew anything about what you are talking about, you would know there are already countless unjust and very harsh penalties for finding and REPORTING very simple computer vulnerabilities. 18 months low security my ass. Considering how many talented young people I know in prison for 'hacking', it's no wonder this is going to likely turn up a foreign attack. What about that?

. . . .actually I do know what I'm talking about also being very computer saavy - finding and reporting vulnerabilities will not get you into jail. Finding them and exploiting them for your personal gain or causing harm to others will get you into jail so I suggest you re-calibrate your moral compass and get off your high horse.
 
ANONYMOUS - You completely missed the point . . . a crime has been committed and all these people care about is getting money from someone. Lawyers in cases like these are not usually paid a fee - they get a percentage of the damages which can be 40% or higher if they win (which if you got out of your parents basement you would know about) so its all about the money and a bunch of people trying to get something for nothing . . . unless their accounts have in fact been compromised they have no based for claim - no harm no foul - even if it had the credit card companies will cover any losses.

Anyone detecting vulnerabilities in computer systems and reporting them won't go to jail BUT I don't for a second believe that anyone who hacks a bank or credit card security system and "steals" credit card numbers is "innocently noodling around and inadvertently finds vulnerabilities" any more than someone walking around my house looking for possible ways to break in (who I have not hired for such a purpose) is not likely to be a burgular. The moment someone breaches a system and in anyway harms it, or causes harm to others through misuse of resources and information that they are not authorized to use they have crossed the line into criminality so I suggest you re-calibrate your moral compass and get off your high horse . . . hackers are not the defenders of the free world or knights in white armour that they like to paint themselves as.
 
Status
Not open for further replies.