Target says it ignored early signs of data breach

NEW YORK -- Target Corp. said in its annual report that a massive security breach has hurt its image and business, while spawning dozens of legal actions, and it noted it can't estimate how big the financial cost will end up being.

The disclosure Friday with the Securities and Exchange Commission came as the nation's second-largest discounter said separately that security software picked up on suspicious activity after a cyberattack was launched, but it decided not to take immediate action.

The acknowledgment comes after Bloomberg Newsweek reported Thursday that Target's security team in Bangalore received security alerts Nov. 30 that indicated malicious software had appeared in its network. It flagged the security team at its home office in Minneapolis.

"Like any large company, each week at Target there are a vast number of technical events that take place and are logged," said Target spokeswoman Molly Snyder in a statement. "Through our investigation, we learned after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. "

She added: "With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."

Target continues to grapple with the fallout of its massive breach since it revealed in mid-December that hackers stole credit card numbers and personal data of millions of its customers. Target recently announced its chief information officer, Beth Jacob, had resigned and it was searching for an interim CIO. It also said it was working to overhaul some of its divisions that handle security and technology.

Target's sales, profit and stock prices have dropped in the wake of the breach. The retailer reported late last month its fourth-quarter profit fell 46 percent on a revenue decline of 5.3 percent as the breach scared off customers.

Target's sales have been recovering as more time passes, but it expects business to be muted for some time: It issued a profit outlook for the current quarter and full year that missed Wall Street estimates because it faces hefty costs related to the breach.

In Target's annual filing Friday, the discounter said, "We know our guests' confidence in Target and the broader U.S. payment system has been shaken. We are committed to, and actively engaged in, activities to restore their confidence." But it said it can't predict the length or extent of any ongoing impact to sales.

State and federal agencies, including the Federal Trade Commission and the SEC, are investigating the breach.

Target noted more than 80 actions have been filed in courts in many states, and more may be filed. It said it expects to dispute any claims from payment card networks that Target was not in compliance with security industry standards and said it's likely such disputes will lead to settlements in those cases.

Target disclosed Dec. 19 that a data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15.

On Jan. 10 it said hackers also stole personal information -- including names, phone numbers and email and mailing addresses -- from as many as 70 million customers.

When the final tally is in, Target's breach could eclipse the biggest-known data theft at a retailer: TJX Cos. in 2007 disclosed a breach of customer information that compromised more than 90 million records at its T.J. Maxx, Marshalls and HomeGoods stores.

Target has said it believes hackers broke into its network by infiltrating the computers of a vendor. Then the hackers installed malicious software in the checkout system for Target's approximately 1,800 U.S. stores.

In the wake of the breach, Target has worked to make changes. The company is accelerating a $100 million plan to roll out chip-based credit card technology, which experts say is more secure than traditional magnetic stripe cards.