Why Target Keeps Getting Hacked
But Target’s latest misfortune should have come as a surprise to no one — least of all to Target itself. The security measures that it and other companies implement to protect consumer data have long been known to be inadequate. Instead of overhauling a poor system that never worked, however, the card industry and retailers have colluded in perpetuating a myth that they’re doing something to protect customer data — all to stave off regulation and expensive fixes.
“It’s a big failure of the whole industry,” says Gartner analyst Avivah Litan. “This is going to keep getting worse, and this was totally predictable a few years ago and no one did anything. Everyone got worked up, and no one did anything.”
Not a lot is known yet about how the recent Target hack occurred. The intruders began the heist November 27, the day before Thanksgiving, and spent two weeks gobbling up unencrypted credit and debit card data for 40 million customers before the company discovered their presence December 15.
In addition to card data, the thieves also swiped PINs for the accounts, though the company says the PINs are worthless to the thieves because they were encrypted with Triple DES at the card reader, and the key for decrypting them was not stored on Target’s system. Recently Target revealed that the thieves also absconded with the names, addresses, phone numbers, and email addresses of about 70 million customers - some of whom are the same customers whose card data was stolen.
More: Target Got Hacked Hard in 2005. Here’s Why They Let It Happen Again