Target's computer security staff advised the retailer to review the security of its payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, according to several reports published Friday.
Citing unnamed sources familiar with the matter,The Wall Street Journal and American Bankerpublished stories on their websites that said at least one intelligence analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment systems' vulnerability to malware, but the request was brushed off.
The warning came at the time Target was updating those payment terminals, which can open security risks, and as the retailer was preparing for the holiday season. After updating the terminals, analysts would have had less time to find holes in the new system.
A former employee told the Journal that the analyst's concern came after the federal government and private research firms had distributed memos last spring and summer, warning companies about the emergence of new types of malicious computer code targeting payment terminals.
According to the Journal story, it is not known whether Target reviewed the payment system before the attack, which occurred between Nov. 27 and Dec. 18, and compromised the credit and debit card information along with 70 million customers' phone numbers and email addresses.
Target did not immediately respond to a request for comment.
Because of the volume of security warnings retailers receive, it is difficult for companies to decide which to take seriously, the former employee told the Journal. Target's cybersecurity intelligence team sees numerous threats each week, but can only prioritize a limited number at their monthly steering committee meetings, the employee said.
On Thursday, 15 Washington, D.C., trade groups representing banks and retail stores created a partnership aimed at better protecting payment data from hackers in the future, according to the Journal.
The group, led by President of the Retail Industry Leaders Association Sandy Kennedy and former Minnesota Gov. Tim Pawlenty, is intended to bring financial and retail industries to work together in sharing cyberthreat information and advancing payment technology.
The two industries' lack of cooperation was criticized at last week's congressional hearings about the breach. At those hearings, Target's Chief Financial Officer John Mulligan said the retailer had passed an audit that certified its compliance with payment industry requirements for protecting card data as recently as September.
Both the National Retail Federation and the American Bankers Association have joined the new coalition, which has an early goal of finding a national standard for notifying customers whose data has been stolen in place of the current patchwork of state notification requirements.
At least 53 lawsuits have been filed against Target since the breach, according to the Courthouse News database. Employees Credit Union, of Dallas; KC Police Credit Union, of Kansas City, Mo.; and American Bank of Commerce, of Wolfforth, Texas are the latest to join the long list of plaintiffs