Retail store chain Target Thursday confirmed it was hit by a massive data breach in which potentially 40 million customer payment cards and related information was stolen by attackers.
The incident first came to light yesterday in a news posting by independent security reporter Brian Krebs based on sources. Today, Target confirmed that it had indeed suffered a data breach, with Target CEO Gregg Steinhafel apologizing in a statement to customers, “We regret any inconvenience this may have caused.”
According to Target’s statement today to customers on its website, customers who made credit or debit card purchases in U.S. stores from Nov. 27 to Dec. 15 may be impacted. “We began investigating the incident as soon as we learned of it,” Target’s statement says. “We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration data and CW (the three-digit security code).”
The retailer says it’s working with a forensics firm to investigate the breach and try to prevent similar incidents in the future.
Target told customers “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.” Target said any customers with questions should call them at 866-852-8680 or visit the Target website. Target in its statement said it had “moved swiftly to address this issue so guests can shop with confidence.”
Target is working with the U.S. Secret Service to identify the hackers in this huge data breach but has only provided a few hints publicly about how they think it took place. Naturally, there’s considerable speculation from others about how the payment card breach related to up to 40 million customer cards could have happened.
"Track data' is extra sensitive data physically stored on a credit card magnetic stripe, in addition to the card number, expiration date and verification code,” said Aaron Titus, chief privacy officer and general counsel at Identity Finder. He thinks that although hackers could have used “point-of-sale skimmers” to grab the Target payment card data, he doubts this happened.
He says skimmers are physical devices that steal track data from point-of-sale machines in stores and can collect track data. “It is extremely unlikely that hackers could have installed skimmers in Target stores across the country,” says Titus. “At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”
Stores accepting payment cards have to follow the Payment Card Industry (PCI) data security standard rules, and Titus says this is generally effective in preventing data breaches. “Target has already begun the process of locking down, analyzing, and securing their systems,” Titus says, adding PCI compliance calls for sensitive data management through discovery and classification to help identify broken business processes and technology shortcomings.
Others, though, speculate a different kind of attack against Target.
“I’m not so sure it was due to a piece of malware inserted remotely by a clever hacker,” Gartner analyst Avivah Litan said today in her blog on the Target breach. “I recently heard a couple of high-placed Secret Service officers say that the Heartland Payment systems breach—the largest breach in history where 130 million payment cards were compromised—was actually executed by Alberto Gonzalez in a very low-tech manner. These agents said Gonzalez was working at Heartland as a call center employee and simply walked out with the sensitive payment card data every day on a USB drive. This apparently was AFTER he was arrested for the TJX breach and became a government informant.”
Litan says, “My guess is that the data was stolen from Target’s switching system for authorization and settlement.”
Litan goes on to say, “If we’ve learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it’s that insider can cause the most damage because some basic controls are not in place. I wouldn’t be surprised with the Target breach—i.e., Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.”
Litan says Target has spent a “small fortune on payment-card security and on becoming PCI compliant.” But now Target will face pressures from the card associations--Visa, MasterCard, American Express, among others— which will raise Target’s merchant fee on transactions because of the breach. Target could also get fined for this breach, and possibly may make Target pay back card issuers for any fraud discovered to result from this massive breach.
And other legal consequences to all this is class-action lawsuits from lawyers or state attorneys general could also arise. However, she notes these class-action lawsuits are often dismissed since typically there’s usually little damage to consumers since any fraudulent charges are usually reversed. “In the end, the actual fraud loss, which Target will have to pay for, is likely to be less than $25 million,” Litan suggests. “But the fees it pays the banks may be twice that amount.”
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org