Who is to blame in Target card breach?

Target defends actions
Tools

Target (NYSE:TGT) this week said its security efforts were not to blame for the massive credit card breach late last year, contradicting what the retailer previously stated. In advance of its shareholder meeting, Target is forming a defense against activist shareholders interested in making changes to the board of directors.

"Breaches are occurring across the economy and are affecting a wide range of victims including the U.S. government, the technology and defense industries and more traditional companies, like retailers," reads a letter from Target to shareholders, according to The New York Times. "Your board fully recognizes the importance of its oversight responsibilities in this area. Under the board's leadership and oversight, Target took significant action to address evolving cybercrime risks before the breach."

This contradicts Target's own account of the event. In early March, the company confirmed it had failed to act on early warnings of malicious activity during its massive data breach. "With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different," company spokeswoman Molly Snyder said in a statement.

So, who really is to blame in the major breach, which has also impacted Michaels Stores, Sally Beauty Supply and others?

Despite its protests now, information security experts said Target did not have certain important safeguards in place. And in March, the retailer acknowledged that its computer system had sent out alerts of suspicious activity during the breach, but that those warnings were ultimately ignored, according to The New York Times.

The early warnings came from Target's own $1.6 million security system called FireEye, which allegedly sent alerts that failed to get any response. According to an independent review, if Target's security team had taken action after the earliest FireEye alerts, it could have thwarted the cyber attack.

According to Target, however, these alerts didn't go unnoticed and, after an internal investigation, they were dismissed as inconsequential.

Since the breach, Target has taken many steps to enhance security, wrote Roxanne Austin, the interim chairwoman of Target's board, in the letter. These efforts include accelerating its conversion to a more secure payment-card technology on its branded cards and in its stores and hiring a new chief information officer.

For more:
-See this New York Times story
-See this Forbes blog post

Related stories:
Target gets serious about its digital transformation
Lowe's discloses breach of employee information
Steinhafel's departure leaves Target looking for redemption
Data breaches add up to lost sales
Target names DeRodes CIO, adds MasterCard chip-and-PIN