Target POS Systems Vulnerable Since 2007?

News
By Kevin Parrish
published

A class action lawsuit suggests that Target knew about the POS vulnerability since 2007.

On Tuesday, law firm Hagens Berman Sobol Shapiro LLP announced that it has filed a proposed class-action lawsuit against recently-hacked retailer Target in the U.S. District Court for the Northern District of California. The firm claims that the retail giant ignored warnings from as early as 2007 that its point-of-sale (POS) system was vulnerable to attack.

The lawsuit, filed against Target on behalf of all the victims of the hack, alleges that security expert Dr. Neal Krawetz alerted Target -- along with other major national retail chains -- about its vulnerability to attack in a white paper outlining POS vulnerabilities at major retailers. This paper even used Target as a specific example of a potential attack, estimating back then that around 58 million customers would have their data stolen if the retailers didn't fix the outlined issues.

According to the complaint, a Target developer responsible for the POS system received the white paper and then asked if it could be sent to other Target executives. This developer also said that Dr. Krawetz had "good ideas," but ultimately the targeted retailer failed to implement those ideas, leaving Target vulnerable to attacks several years later.

"We believe that Target not only knew its systems were vulnerable to exactly this kind of attack all the way back in 2007, but was alerted to and acknowledged suggestions that would have made its customers safer," said Tom Loeser, a Hagens Berman partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys' Office in Los Angeles. "However, Target did not act on this knowledge, and as a result, tens of millions have had their personal information stolen and financial accounts compromised."

Target originally reported that hackers broke into the POS system and acquired names, credit card numbers, and encrypted PIN numbers of 40 million customers. The company then followed up with an update reporting that even more detail was stolen from 70 million customers including physical addresses, email addresses and phone numbers.

"Attorneys allege that in addition to negligence prior to the security breach, Target repeatedly misled its customers about the nature and scale of the breach. For instance, the suit claims that Target initially stated that customers' PIN numbers were not compromised, but later disclosed that the data had, in fact, been taken," the firm reports.

The lawsuit claims that Target's actions were negligent and "additionally violated a number of state laws governing unfair business practices and the disclosure of security breaches." The firm is hoping that this lawsuit will open the eyes of other retailers so that they will take customer data more seriously.

Kevin Parrish
11 Comments Comment from the forums
  • Pyree
    It's a POS system. What do you expect?
    Reply
  • lancelot123
    Kevin, if you set up the title that way on purpose, I salute you.
    Reply
  • TargetPOS
    Kevin, if you set up the title that way on purpose, I salute you.
    Exactly what I was thinking.
    Reply
  • sirskeetsalot2013
    Man this new layout sucks some fat nuts.
    Reply
  • iamadev
    @sirskeetsalot2013 - It really does doesn't it. I thought the reposts due to refreshing the page was bad enough but this new layout is a right royal pain in the arse.
    Reply
  • chomlee
    I knew it wouldn't be long before the bottom feeders got their paws in on this. I like Target and it is very unfortunate that this happend. My wifes card got comprimised and she had some charges the same day as the anouncement from a convinience store 1,000 miles away called jahalawallaslkjlk something (seriously, you could not pronounce it at all). In the end, we got a new card and we moved on. We still don't use cards there yet and they have lost millions if not billions as a result of this. Now when they are down and trying to recover, some shit ass lawfirm is comming in to basically put them out of business, then all we will be left with is WalFart.
    Reply
  • chomlee
    I knew it wouldn't be long before the bottom feeders got their paws in on this. I like Target and it is very unfortunate that this happend. My wifes card got comprimised and she had some charges the same day as the anouncement from a convinience store 1,000 miles away called jahalawallaslkjlk something (seriously, you could not pronounce it at all). In the end, we got a new card and we moved on. We still don't use cards there yet and they have lost millions if not billions as a result of this. Now when they are down and trying to recover, some shit ass lawfirm is comming in to basically put them out of business, then all we will be left with is WalFart.
    Reply
  • ultameca
    @chomlee You could choose not to shop at either, that would be the best option.. do you really need to buy cheaply made crap from those money grubbing corporations? You should support the middle class.
    Reply
  • jimmysmitty
    12454966 said:
    I knew it wouldn't be long before the bottom feeders got their paws in on this. I like Target and it is very unfortunate that this happend. My wifes card got comprimised and she had some charges the same day as the anouncement from a convinience store 1,000 miles away called jahalawallaslkjlk something (seriously, you could not pronounce it at all). In the end, we got a new card and we moved on. We still don't use cards there yet and they have lost millions if not billions as a result of this. Now when they are down and trying to recover, some shit ass lawfirm is comming in to basically put them out of business, then all we will be left with is WalFart.

    I am all against frivolous lawsuits that have turned us into a bunch of worried pansies, hell some schools are banning kids from playing tag because they may get hurt.

    But if Target knew about this security vulnerability and they did nothing about it, they are responsible. They should step up and take responsibility and help everyone who has been affected financially.

    Then they need to enhance their security. Let's look at another example. VALVes Steam servers got hacked and sensitive data got taken. But unlike Target, the data was all encrypted using AES 256Bit encryption that even with super computers would take years upon years to decrypt so it was pretty much useless. The still warned everyone and forced password changes but the fact is that they encrypted the data.

    Target makes well more money than VALVe so why was Targets data not encrypted? If they are going to store sensitive data such as CC numbers, pins etc then why would they leave it so easily accessed?

    They just didn't want to spend the money needed to apply such security. Honestly I don't feel like shopping at Target anymore knowing my data may not be safe. I didn't get hit, nor did my wife as we didn't shop during the period but it still stands they allowed this to happen and need to be responsible instead of trying to brush it off.
    Reply
  • skit75
    The Target by my house had all new POS credit card swipers the same week Target was signaling the "all clear" announcement. I never had fraudulent charges but my bank sent new cards proactively anyway.Also, POS is a well known industry acronym. Let's all not loose our cool here over the childish stuff.
    Reply