- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Retail store chain Target Thursday confirmed it was hit by a massive data breach in which potentially 40 million customer payment cards and related information was stolen by attackers.
The incident first came to light yesterday in a news posting by independent security reporter Brian Krebs based on sources. Today, Target confirmed that it had indeed suffered a data breach, with Target CEO Gregg Steinhafel apologizing in a statement to customers, “We regret any inconvenience this may have caused.”
According to Target’s statement today to customers on its website, customers who made credit or debit card purchases in U.S. stores from Nov. 27 to Dec. 15 may be impacted. “We began investigating the incident as soon as we learned of it,” Target’s statement says. “We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration data and CW (the three-digit security code).”
The retailer says it’s working with a forensics firm to investigate the breach and try to prevent similar incidents in the future.
Target told customers “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports.” Target said any customers with questions should call them at 866-852-8680 or visit the Target website. Target in its statement said it had “moved swiftly to address this issue so guests can shop with confidence.”
Target is working with the U.S. Secret Service to identify the hackers in this huge data breach but has only provided a few hints publicly about how they think it took place. Naturally, there’s considerable speculation from others about how the payment card breach related to up to 40 million customer cards could have happened.
"Track data' is extra sensitive data physically stored on a credit card magnetic stripe, in addition to the card number, expiration date and verification code,” said Aaron Titus, chief privacy officer and general counsel at Identity Finder. He thinks that although hackers could have used “point-of-sale skimmers” to grab the Target payment card data, he doubts this happened.
He says skimmers are physical devices that steal track data from point-of-sale machines in stores and can collect track data. “It is extremely unlikely that hackers could have installed skimmers in Target stores across the country,” says Titus. “At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”
Stores accepting payment cards have to follow the Payment Card Industry (PCI) data security standard rules, and Titus says this is generally effective in preventing data breaches. “Target has already begun the process of locking down, analyzing, and securing their systems,” Titus says, adding PCI compliance calls for sensitive data management through discovery and classification to help identify broken business processes and technology shortcomings.