At the end of December last year, during one of the busiest shopping seasons, the US retailer Target revealed that payment details from up to 40 million credit cards had been stolen after being used on card-swipe machines at 1,797 of its stores. The attack started just before Black Friday and continued for about two and a half weeks.
Five months on from the announcement of the data breach, Target’s board of directors has decided to remove Gregg Steinhafel as chairman and chief executive, saying it wanted new leadership to help restore consumer confidence. The official text from the board of directors thanks Steinhafel for his “significant contributions and outstanding service throughout his notable 35-year career with the company” but blames the CEO directly for the data breach, “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable…” And now it looks like that accountability has lost him his job.
After the attack occurred details started to emerge that showed that Target could have prevented the attack. According to Bloomberg, Target had invested $1.6 million installing a malware detection tool from FireEye.
Target used a team of security specialists in Bangalore to monitor its network. On Saturday, Nov. 30, the hackers uploaded malware to Target’s network so that they could copy the stolen credit card details. FireEye spotted the malware along with some suspicious activity and the Bangalore team alerted their bosses in Minneapolis. But it appears that the security team in Minneapolis did nothing.
Since the breach, Target has faced at least 90 lawsuits and been forced to spend at least $61 million to settle them. According to Brian Krebs, Target does not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). Krebs also estimates that the cyber criminals probably made somewhere around $53 million from the sale of stolen credit card details.
It is thought that details of up to 3 million cards were successfully sold on the black market and used before the issuing banks managed to cancel the whole batch of 40 million cards.