Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Breach: 10 Facts
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
PaulS681
0%
100%
PaulS681,
User Rank: Apprentice
12/21/2013 | 5:18:56 PM
When?
 

I think one of the big questions here is when target found out about this. These breaches should be made public asap in my opinion. You can go back and find out about who is responsible after but letting your customers know asap is critical.
CC_Insider
100%
0%
CC_Insider,
User Rank: Apprentice
12/21/2013 | 6:47:15 PM
Re: When?
Another article out there says Target discovered this only on the 15th.  Considering that this would be a truly "oh shit" moment, the disclosure was timely.  There's no undue delay here.  The first concern for when something happens like this is shutting off and stopping the bleeding, to keep it from continuing.  So for a couple of days to go by is not a problem.
PaulS681
0%
100%
PaulS681,
User Rank: Apprentice
12/21/2013 | 10:04:21 PM
Re: When?
I disagree... You find out about it and stop the attack and notify the public. A few days doesnt sound like much but I dont see a reason why they can't notify when they find out.
Brian.Dean
100%
0%
Brian.Dean,
User Rank: Apprentice
12/22/2013 | 5:41:35 AM
Re: When?
I hear you and understand that the need to quickly disclose any kind of data breach is a matter of extreme importance for the protection of customers likewise, it is also important to confirm and be 100% sure that a data breach has taken place before releasing an alert, because false positives would not only cause unnecessary panic for the customer but it will also undermine the legitimacy of future alerts.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
12/22/2013 | 6:28:54 AM
Transitions are Important
Banking has come a long way since pre internet times but as people continue to use electronic forms to make payments the need to increase the security standard increases while at the same time complexity needs to be kept to a minimum.

Almost all developing countries have a banking sector but not all of its population are banked, the reason for this are many, and one reason is that the population view banks as being too complex, another is a view that banks are not as secure as they should be. 40 million is a large number, before never forms of payment become discredited, I think it is vital to add security and limit complexity before it starts to affect the number of transitions carried out. 
PaulS681
0%
100%
PaulS681,
User Rank: Apprentice
12/22/2013 | 12:04:05 PM
Re: When?
I aree you have to be 100% positive but if they were on the 15th then why didn't we hear about it? I think if target came out and said why they waited it might help a little. Although this is the least of Targets problems as class action lawsuits are popping up all over the place due to the fact they were breached.
Banker666
100%
0%
Banker666,
User Rank: Apprentice
12/22/2013 | 9:37:02 PM
Millions of dollars
I work at a bank that does card processing and I for one can say PCI is a joke in my opinion.   After being audited they made us move all of the card processing off onto it's own seperate mainframe systems.  They were totally clueless about how a mainframe works and how it processes.  As a result our company spent millions of dollars to meet their compliance.   In my opinion the vast majority of breeches occur on the retail side.   For example I walk into a store and use my card and the clerk doesn't ask for any ID from me.   How about making these retailers make their employees go thru a fingerprint and background check like we had to where I work at.  I wonder if Target was using offshore IT services.  Duh let me guess.   The discussion where I work has been how many cards are we going to have to re-issue because of this and not to mention all of the account forwarding processing we'll likely have to do.  The bigger issue is that who ever pulled this off won't be jailed, much less captured and brought to justice and they likely know it too.    If I pulled off something like this in the U.S. I'd be put into prison.   I know one thing for sure we'll be re-evaluating offshore access and their use.  Maybe even put them all out the door.   Gawd I could not imagine our reputation ruined because of a major breech like this.          
Chris1001
50%
50%
Chris1001,
User Rank: Apprentice
12/23/2013 | 1:47:47 AM
Kudos? Target was outed by a journalist
The breach was reported to the public by Journalist Brian Krebs.  Target was outed.  They did not "come clean" of their own accord.
samicksha
0%
100%
samicksha,
User Rank: Apprentice
12/23/2013 | 2:41:36 AM
Re: Kudos? Target was outed by a journalist
I am not shocked and neither surprised but yes, was it so easy for hackers to attack, i mean 40 million accounts is not a small number. We have been discussing and claiming about more rigid and bulletproof security but still hacker manages to find good loop holes. I am not sure but i read CVV number was also stolen which ideally should be available only with user physically on the card.
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
12/23/2013 | 7:50:30 AM
Re: Kudos? Target was outed by a journalist
This is one of the things that bothers me most.  Target didn't come out and notify customers to protect them, they kept quiet as long as they could and it sounds like the "fix" for this is a knee-jerk reaction by the banks who issued the cards.  If the tren of punishing customers after a data breech continues we're going to see a lot more people protecting themselves by avoiding companies who have had data losses in the past.
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-44093
PUBLISHED: 2021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
CVE-2021-44094
PUBLISHED: 2021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...