"Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited," said Target spokesperson Amy Reilly.
"A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved," Reilly said.
This is a baffler and it's merely the latest example of the strange data breach disclosure processes that major chains engage in.
Back when Target was alluded to in the initial Boston indictment of Gonzalez, authorities said they kept the chain's name out of the filings because the chain had yet to make a public announcement.
But years later, as the criminal case appears to be winding down (guilty pleas entered, sentencing imminent), Target decides to reveal the breach. Why not before? Why now? If the publicly-held chain concluded that it had an obligation to confirm the breach, why release almost no details? What public good does that advance?