Attacks/Breaches
1/10/2014
11:50 AM
Connect Directly
RSS
E-Mail
50%
50%

Target Breach Widens: 70 Million Warned

Target discovers that personal information -- including names and contact information -- for 70 million customers was compromised in recent data breach.

Target on Friday announced that an ongoing digital forensic investigation into its recent data breach has found that personal information relating to 70 million customers was stolen.

"As part of Target's ongoing forensic investigation, it has been determined that certain guest information -- separate from the payment card data previously disclosed -- was taken during the data breach," Target said in a statement, continuing the company's marketing-spin habit of labeling customers as "guests."

"At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals," said Target. "This theft is not a new breach, but was uncovered as part of the ongoing investigation."

Target's statement doesn't make clear, however, if the 40 million previously affected cardholders are a subset of the new 70 million figure or if the revised breach count means that up to 110 million people were affected. A Target spokeswoman didn't immediately respond to an emailed request for clarification.

[For more on the Target breach, see Target Breach: 10 Facts.]

The growing number of people affected by the breach complicates efforts by Target CEO Gregg Steinhafel to rebuild trust with the company's customers. That said, the company did earn plaudits from some identity theft experts for quickly warning customers about the breach once it was discovered.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Steinhafel said Friday in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."

Target has yet to offer any details about how the information was compromised, and whether it involved an inside attack or an external hacker.

Target first publicly detailed the data breach on December 19, 2013, saying that during the 19-day heist, which began in late November, there was "unauthorized access" to 40 million credit and debit cards. But Target also warned that a related investigation was only in its early stages, meaning that the number of people affected by the breach, or types of data stolen, might be revised.

Some security experts said a surge of stolen card data began flooding cybercrime sites in early December, suggesting that many Target customers -- as well as users of the store's own REDcard debit and credit card accounts -- were at immediate risk of fraud. In fact, related fraud may have been what lead credit card issuers to spot signs of the breach and trace it back to Target.

Beyond fraud, now add phishing attacks to the list of concerns facing Target's data breach victims. Indeed, based on past attacks, it's a safe bet that anyone in possession of the up to 70 million Target customers' stolen names and email addresses will begin sending fake "security warnings," breach updates, or related emails to already worried Target customers. If you receive such emails, don't open any links in them -- or in any financial-related emails, for that matter.

The data breach, which Target revealed during the 2013 holiday shopping season, has taken a bite out of the company's revenues. The full extent of the financial fallout was hinted at Friday, when the company warned investors that post-breach sales had declined by between 2% and 6%. Target also said that it will close eight US Target stores in May.

Despite that fourth-quarter hit, post-breach sales have shown improvement in the last several days, Target said. But the company isn't off the hook yet financially. An update on fourth-quarter outlook released Friday by Target warned that the retailer may face significant related long-term costs.

"At this time, the company is not able to estimate the costs, or a range of costs, related to the data breach," Target said. "Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities."

On the cost front, Target will offer a year of free credit monitoring and identity theft protection to any customer that shopped in its US stores, although the company has yet to specify the time period. Target will allow customers to enroll in the monitoring program beginning next week and for up to three months after it launches.

"We know this incident has been a confusing and stressful time for our guests, and for that we apologize," Scott Kennedy, president of Target's finance and retail services, said Friday in a statement. "We hope this offer provides them with additional peace of mind."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ariella
50%
50%
Ariella,
User Rank: Apprentice
1/13/2014 | 9:15:02 AM
Re: Would smart cards have prevented the Target breach?
@Marilyn IBM predicts that in 5 years it will have the problem licked with what it calls a digital guardian. It explains it like this:

Protecting your patterns

Hopefully, it won't come to the point of a breach in the first place. IBM and its partners are layering in "always aware" intelligence. You can't be in two places at once. So, if the smartphone you accidentally left at a restaurant is being fondled by fraudulent fingers, the pervasive system will recognize the offender's different touch pattern (even if your phone is unlocked) and lock your account.

In another example, imagine two purchases: $40 at a gas station, and $4,000 at Tiffany & Co. Today's fraud monitoring might see the diamond purchase as highly suspicious, and ignore the charge at the pump. But your digital guardian will know that your car has a near-full tank of fuel; that you don't usually re-fuel until you're down to about one quarter tank; not to mention that you're at the office when this charge appears. It will also know that you've been shopping for an engagement ring and have been spending your lunch hour window shopping outside the store.

This and other emerging learning systems will know you, help you, and protect you as we continue to generate more and more data, and put more and more of our lives online.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2014 | 7:59:03 AM
Would smart cards have prevented the Target breach?
Although Target is offering a year of free credit monitoring and identity theft protection in the wake of the breach, The Wall Street Journal reported this morning that the  incident  (along with another consumer credit card theft at Neiman Marcus)  the Senate banking committee will be holding hearings in the coming weeks about the larger issue of who should bear responsibility for the costs of a cybersecurity breach. The Journal wrote: 

Banks and credit unions have been pushing for years for legislation that would explicitly require the company responsible for a breach to cover its costs, but they have run into resistance from the retail industry, which argues that card issuers should improve their technology so cards can't be compromised.

Shout out to readers -- If credit card technology was more secure  (e.g. smart cards), would identify theft decrease? Lets chat about it in the comments.

mak63
50%
50%
mak63,
User Rank: Apprentice
1/11/2014 | 4:31:52 PM
Re: 100% Proof of who and what caused the Target breach
@IT-security-gladiator

Double post.
Anyway, I believe you're deluded if you think that a particular OS has anything to do with the breach. No server is immune to hacking

 

 
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
1/11/2014 | 11:46:50 AM
Re: 100% Proof of who and what caused the Target breach
This sounds very much like a cautionary tale for other retailers to pay attention to.

I just read that Nieman Marcus is now dealing an issue with their systems. A breach, it sounds like. Not good. 
IT-security-gladiator
100%
0%
IT-security-gladiator,
User Rank: Apprentice
1/10/2014 | 12:30:13 PM
100% Proof of who and what caused the Target breach
Yup Microsoft servers again: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
IT-security-gladiator
100%
0%
IT-security-gladiator,
User Rank: Apprentice
1/10/2014 | 12:30:03 PM
100% Proof of who and what caused the Target breach
Yup Microsoft servers again: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.