Attacks/Breaches
1/10/2014
11:50 AM
50%
50%

Target Breach Widens: 70 Million Warned

Target discovers that personal information -- including names and contact information -- for 70 million customers was compromised in recent data breach.

Target on Friday announced that an ongoing digital forensic investigation into its recent data breach has found that personal information relating to 70 million customers was stolen.

"As part of Target's ongoing forensic investigation, it has been determined that certain guest information -- separate from the payment card data previously disclosed -- was taken during the data breach," Target said in a statement, continuing the company's marketing-spin habit of labeling customers as "guests."

"At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals," said Target. "This theft is not a new breach, but was uncovered as part of the ongoing investigation."

Target's statement doesn't make clear, however, if the 40 million previously affected cardholders are a subset of the new 70 million figure or if the revised breach count means that up to 110 million people were affected. A Target spokeswoman didn't immediately respond to an emailed request for clarification.

[For more on the Target breach, see Target Breach: 10 Facts.]

The growing number of people affected by the breach complicates efforts by Target CEO Gregg Steinhafel to rebuild trust with the company's customers. That said, the company did earn plaudits from some identity theft experts for quickly warning customers about the breach once it was discovered.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Steinhafel said Friday in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."

Target has yet to offer any details about how the information was compromised, and whether it involved an inside attack or an external hacker.

Target first publicly detailed the data breach on December 19, 2013, saying that during the 19-day heist, which began in late November, there was "unauthorized access" to 40 million credit and debit cards. But Target also warned that a related investigation was only in its early stages, meaning that the number of people affected by the breach, or types of data stolen, might be revised.

Some security experts said a surge of stolen card data began flooding cybercrime sites in early December, suggesting that many Target customers -- as well as users of the store's own REDcard debit and credit card accounts -- were at immediate risk of fraud. In fact, related fraud may have been what lead credit card issuers to spot signs of the breach and trace it back to Target.

Beyond fraud, now add phishing attacks to the list of concerns facing Target's data breach victims. Indeed, based on past attacks, it's a safe bet that anyone in possession of the up to 70 million Target customers' stolen names and email addresses will begin sending fake "security warnings," breach updates, or related emails to already worried Target customers. If you receive such emails, don't open any links in them -- or in any financial-related emails, for that matter.

The data breach, which Target revealed during the 2013 holiday shopping season, has taken a bite out of the company's revenues. The full extent of the financial fallout was hinted at Friday, when the company warned investors that post-breach sales had declined by between 2% and 6%. Target also said that it will close eight US Target stores in May.

Despite that fourth-quarter hit, post-breach sales have shown improvement in the last several days, Target said. But the company isn't off the hook yet financially. An update on fourth-quarter outlook released Friday by Target warned that the retailer may face significant related long-term costs.

"At this time, the company is not able to estimate the costs, or a range of costs, related to the data breach," Target said. "Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities."

On the cost front, Target will offer a year of free credit monitoring and identity theft protection to any customer that shopped in its US stores, although the company has yet to specify the time period. Target will allow customers to enroll in the monitoring program beginning next week and for up to three months after it launches.

"We know this incident has been a confusing and stressful time for our guests, and for that we apologize," Scott Kennedy, president of Target's finance and retail services, said Friday in a statement. "We hope this offer provides them with additional peace of mind."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
IT-security-gladiator
100%
0%
IT-security-gladiator,
User Rank: Apprentice
1/10/2014 | 12:30:03 PM
100% Proof of who and what caused the Target breach
Yup Microsoft servers again: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
1/11/2014 | 11:46:50 AM
Re: 100% Proof of who and what caused the Target breach
This sounds very much like a cautionary tale for other retailers to pay attention to.

I just read that Nieman Marcus is now dealing an issue with their systems. A breach, it sounds like. Not good. 
IT-security-gladiator
100%
0%
IT-security-gladiator,
User Rank: Apprentice
1/10/2014 | 12:30:13 PM
100% Proof of who and what caused the Target breach
Yup Microsoft servers again: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000009407
mak63
50%
50%
mak63,
User Rank: Apprentice
1/11/2014 | 4:31:52 PM
Re: 100% Proof of who and what caused the Target breach
@IT-security-gladiator

Double post.
Anyway, I believe you're deluded if you think that a particular OS has anything to do with the breach. No server is immune to hacking

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2014 | 7:59:03 AM
Would smart cards have prevented the Target breach?
Although Target is offering a year of free credit monitoring and identity theft protection in the wake of the breach, The Wall Street Journal reported this morning that the  incident  (along with another consumer credit card theft at Neiman Marcus)  the Senate banking committee will be holding hearings in the coming weeks about the larger issue of who should bear responsibility for the costs of a cybersecurity breach. The Journal wrote: 

Banks and credit unions have been pushing for years for legislation that would explicitly require the company responsible for a breach to cover its costs, but they have run into resistance from the retail industry, which argues that card issuers should improve their technology so cards can't be compromised.

Shout out to readers -- If credit card technology was more secure  (e.g. smart cards), would identify theft decrease? Lets chat about it in the comments.

Ariella
50%
50%
Ariella,
User Rank: Apprentice
1/13/2014 | 9:15:02 AM
Re: Would smart cards have prevented the Target breach?
@Marilyn IBM predicts that in 5 years it will have the problem licked with what it calls a digital guardian. It explains it like this:

Protecting your patterns

Hopefully, it won't come to the point of a breach in the first place. IBM and its partners are layering in "always aware" intelligence. You can't be in two places at once. So, if the smartphone you accidentally left at a restaurant is being fondled by fraudulent fingers, the pervasive system will recognize the offender's different touch pattern (even if your phone is unlocked) and lock your account.

In another example, imagine two purchases: $40 at a gas station, and $4,000 at Tiffany & Co. Today's fraud monitoring might see the diamond purchase as highly suspicious, and ignore the charge at the pump. But your digital guardian will know that your car has a near-full tank of fuel; that you don't usually re-fuel until you're down to about one quarter tank; not to mention that you're at the office when this charge appears. It will also know that you've been shopping for an engagement ring and have been spending your lunch hour window shopping outside the store.

This and other emerging learning systems will know you, help you, and protect you as we continue to generate more and more data, and put more and more of our lives online.

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.