Target admits breach on 40 million accounts

by
target-logo

In a massive data breach, Target Corp. admitted Thursday that data from as many as 40 million credit and debit cards had been stolen. Coming during the busiest shopping season, the public relations nightmare is huge.

Reuters had this story by Jim Finkle and Dhanya Skariachan:

Target Corp said hackers have stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season in the second-largest such breach reported by a U.S. retailer.

In terms of the speed at which the hackers were able to access large numbers of credit cards, the data theft was unprecedented. The operation was carried out over just 19 days during the heart of the crucial Christmas holiday sales season: from the day before Thanksgiving to this past Sunday.

Target, the third-largest U.S. retailer, said on Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.

Target did not detect the attack on its own, according to a person familiar with the investigation.

The story from Wired by Kim Zetter chronicled many recent incidences where customer data was compromised from point-of-sale terminals:

The breach, which was first reported by security journalist Brian Krebs on Wednesday, continued through December 15 and may have affected all locations nationwide. Customers who shopped through Target’s online storefront are not believed to have been affected.

The thieves breached the point-of-sale system (POS) and stole customer magstripe data, including names, credit or debit card numbers, expiration dates and everything else needed to make counterfeit cards. Target did not indicate if PIN numbers were also taken, which would allow the thieves to use the account data to withdraw cash from ATMs.

It’s unclear how the breach of the point-of-sale system occurred. It’s possible the thieves installed malware on the card readers at stores or breached the transaction network and sniffed data at a point that it was not encrypted.

Last year, thieves breached the point-of-sale system of 63 Barnes and Noble stores in nine states. In that case, the hackers installed malware on the point-of-sale card readers to sniff the card data and record PINs as customers typed them.

In July 2012, security researchers at the Black Hat security conference in Las Vegas showed how they were able to install malware onto POS terminals made by one vendor, by using a vulnerability in the terminals that would allow an attacker to change applications on the device or install new ones in order to capture card data and cardholder signatures.

USA Today’s story by Jayne O’Donnell focused on how stores are struggling to stay ahead of criminals who are finding it easier to steal information:

Increasingly sophisticated fraudsters can replace checkout line credit and debit card readers with ones that wirelessly transmit data to banks but also the criminals. But breaches as large as Target’s, reported to involved some 40 million cards, are more likely to involve network or software breaches, perhaps when an employee of the company or a contractor provides access to the “back door” of the system, says longtime retail crime expert Joe LaRocca, former head of loss prevention for the National Retail Federation.

The access can be done intentionally or unwittingly, says LaRocca.

“In my opinion, someone found a way to manipulate the system to extract the numbers,” says LaRocca, founder of RetaiLPartners, a loss prevention consulting company. “When a network intrusion occurs, typically a vulnerability is discovered and may involve some Inside collusion. Someone opened the back door or carelessly left the back door open” by not using proper security practices.

Target said it began investigating the incident as soon as it learned of it, but didn’t disclose when that was. The problem was first reported on a blog by security experts and former reporter Brian Krebs.

A third-party forensics firm is working with Target to investigate the incident and to determine what else the retailers can do to prevent the problem in the future.

Retailers are struggling to stay ahead of the criminals in this area, experts say.

Bloomberg’s Matt Townsend, Lindsey Rupp and Lauren Coleman-Lochner reported that the U.S. Secret Service was looking into the incident along with attorneys general in two states:

The U.S. Secret Service said yesterday that it was probing the incident, and two states’ attorneys general said today that they’ve begun inquiries.

Target’s challenges come as U.S. retailers gear up for the end of a holiday shopping season that ShopperTrak predicts will be the slowest since 2009. The last thing Target needs as rivals pour on discounts in a last-ditch grab for market share is for its customers to wonder if they should use their cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago.

“The timing could be a concern, especially only a few days before Christmas,” he said in an interview.

Target, which has 1,797 stores in the U.S. and 124 in Canadafell 2.2 percent to $62.14 at the close in New York. The stock has gained 5 percent this year, compared with a 42 percent gain for Standard & Poor’s 500 Retailing Index.

The breach occurred when a computer virus infected Target’s point-of-sale terminals where shoppers swipe a credit or debit card to make a purchase, said a person familiar with the matter who asked not to be identified because the investigation is private. Molly Snyder, a spokeswoman for Target, didn’t respond to a request for comment on the cause.

Whatever the cause, Target is going to have some public relations work to do, especially since some people will be out money during the holidays. It’s never easy to tell customers you’ve got a problem but adding to the stress of the holidays could cause even more headaches and backlash for the retailer.