Target Admits It Was Breached

Years after it was breached by a member of Albert Gonzalez's cyberthief gang, some 17 months after it's name was quietly kept out of an indictment where it was referenced and five months after StorefrontBacktalk published its involvement, Target has confirmed that it was the victim of a data breach.

"Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited," said Target spokesperson Amy Reilly.

"A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved," Reilly said.

This is a baffler and it's merely the latest example of the strange data breach disclosure processes that major chains engage in.

Back when Target was alluded to in the initial Boston indictment of Gonzalez, authorities said they kept the chain's name out of the filings because the chain had yet to make a public announcement.

But years later, as the criminal case appears to be winding down (guilty pleas entered, sentencing imminent), Target decides to reveal the breach. Why not before? Why now? If the publicly-held chain concluded that it had an obligation to confirm the breach, why release almost no details? What public good does that advance?