Hackers' 19-day heist scoops up all ingredients required to make counterfeit cards.

Mathew J. Schwartz, Contributor

December 19, 2013

5 Min Read

Hackers have successfully stolen 40 million credit and debit cards from retail giant Target.

The retailer confirmed Thursday that the massive data breach, which occurred between November 27 and December 15, resulted in attackers gaining "unauthorized access" to customers' names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. That information is all that criminals would need to make fraudulent transactions online or create working, counterfeit cards in the names of customers -- or in Target's marketing-ese, "guests."

"Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its US stores," according to a statement released Thursday by Target. "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."

Target said it had immediately notified law enforcement agencies as soon as it discovered the breach, and that it planned to hire a third-party digital forensics firm to investigate the breach and recommend information security improvements.

"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, Target's president and CEO, in a statement. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."

[What's on your list? My 5 Wishes For Security In 2014.]

The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. "Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday," said Matt Standart, HBGary's threat intelligence director, via email. "To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."

Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Target's IT infrastructure, might have served as "a distraction to give more operational security to the adversary," Standart said.

Target operates not only Target.com, but also 1,797 stores in the United States and 124 in Canada. But based on the company's statement, only card data from its brick-and-mortar US stores appear to have been compromised. "We can't say for sure that all stores were impacted, but we do see customers all over the US that were victimized," an anti-fraud analyst at one of the country's top 10 card issuers told security reporter Brian Krebs.

The massive breach puts an unfortunate wrinkle on Minneapolis-based Target's corporate promise: "Expect more. A lot more." While the breach didn't involve as many card numbers as the biggest such breach to date -- involving thieves stealing details on up to 90 million cards from T.J. Maxx parent company TJX, it is well above last year's theft of 1.5 million accounts from payment processor Global Payments. In July, meanwhile, the Department of Justice announced charges against a Russian cybercrime ring that was accused of hacking into the systems of such businesses as NASDAQ, 7-Eleven, and JetBlue and stealing 160 million credit card numbers.

Target will now face sharp questions about whether it was storing card data in encrypted format, and whether it had been certified as being compliant with the Payment Card Industry Data Security Standard (PCI-DSS). A Target spokesperson, emailed for comment on the above questions, didn't immediately respond.

But the retailer is to be commended for coming clean about the breach relatively quickly. The company Thursday posted a data breach notification on its site that includes extensive details -- including state-by-state breakdowns -- about how customers can monitor for any identity theft that might result.

Target has warned customers to beware of fraudulent use of their credit and debit card numbers. "If you see something that appears fraudulent, REDcard holders should contact Target, others should contact their bank," the company said, referring to its Target-branded "REDcard" debit and credit cards. But so far, the company hasn't offered to provide free identity theft monitoring services to affected customers. But anyone hit with credit or debit card fraud should be able to contest the charges with their card issuer, provided they do so in a timely fashion -- usually within 60 days of receiving a related statement.

Going forward, the concern is that anyone who shopped at -- or with -- Target during the 19-day breach window is that the stolen card data could be used at any point in the future. Hackers often sell stolen card data in bulk to others via carder forums and other underground cybercrime marketplaces. Other criminals may then purchase the information and use it to make fraudulent online purchases, or encode the information into fake credit cards. These forged cards are distributed to money mules, who use them to make fraudulent in-store purchases. They then resell the goods to amass cash.

In the case of the Target breach, this cybercrime cycle could be broken if credit card issuers cancel all affected card numbers and issue new cards. Of course, it remains to be seen if they -- or Target -- are willing to foot the related bill.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights