Attacks/Breaches
12/19/2013
10:19 AM
Connect Directly
RSS
E-Mail
50%
50%

Target Confirms Hackers Stole 40 Million Credit Cards

Hackers' 19-day heist scoops up all ingredients required to make counterfeit cards.

Hackers have successfully stolen 40 million credit and debit cards from retail giant Target.

The retailer confirmed Thursday that the massive data breach, which occurred between November 27 and December 15, resulted in attackers gaining "unauthorized access" to customers' names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. That information is all that criminals would need to make fraudulent transactions online or create working, counterfeit cards in the names of customers -- or in Target's marketing-ese, "guests."

"Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its US stores," according to a statement released Thursday by Target. "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."

Target said it had immediately notified law enforcement agencies as soon as it discovered the breach, and that it planned to hire a third-party digital forensics firm to investigate the breach and recommend information security improvements.

"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, Target's president and CEO, in a statement. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."

[What's on your list? My 5 Wishes For Security In 2014.]

The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. "Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday," said Matt Standart, HBGary's threat intelligence director, via email. "To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."

Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Target's IT infrastructure, might have served as "a distraction to give more operational security to the adversary," Standart said.

Target operates not only Target.com, but also 1,797 stores in the United States and 124 in Canada. But based on the company's statement, only card data from its brick-and-mortar US stores appear to have been compromised. "We can't say for sure that all stores were impacted, but we do see customers all over the US that were victimized," an anti-fraud analyst at one of the country's top 10 card issuers told security reporter Brian Krebs.

The massive breach puts an unfortunate wrinkle on Minneapolis-based Target's corporate promise: "Expect more. A lot more." While the breach didn't involve as many card numbers as the biggest such breach to date -- involving thieves stealing details on up to 90 million cards from T.J. Maxx parent company TJX, it is well above last year's theft of 1.5 million accounts from payment processor Global Payments. In July, meanwhile, the Department of Justice announced charges against a Russian cybercrime ring that was accused of hacking into the systems of such businesses as NASDAQ, 7-Eleven, and JetBlue and stealing 160 million credit card numbers.

Target will now face sharp questions about whether it was storing card data in encrypted format, and whether it had been certified as being compliant with the Payment Card Industry Data Security Standard (PCI-DSS). A Target spokesperson, emailed for comment on the above questions, didn't immediately respond.

But the retailer is to be commended for coming clean about the breach relatively quickly. The company Thursday posted a data breach notification on its site that includes extensive details -- including state-by-state breakdowns -- about how customers can monitor for any identity theft that might result.

Target has warned customers to beware of fraudulent use of their credit and debit card numbers. "If you see something that appears fraudulent, REDcard holders should contact Target, others should contact their bank," the company said, referring to its Target-branded "REDcard" debit and credit cards. But so far, the company hasn't offered to provide free identity theft monitoring services to affected customers. But anyone hit with credit or debit card fraud should be able to contest the charges with their card issuer, provided they do so in a timely fashion -- usually within 60 days of receiving a related statement.

Going forward, the concern is that anyone who shopped at -- or with -- Target during the 19-day breach window is that the stolen card data could be used at any point in the future. Hackers often sell stolen card data in bulk to others via carder forums and other underground cybercrime marketplaces. Other criminals may then purchase the information and use it to make fraudulent online purchases, or encode the information into fake credit cards. These forged cards are distributed to money mules, who use them to make fraudulent in-store purchases. They then resell the goods to amass cash.

In the case of the Target breach, this cybercrime cycle could be broken if credit card issuers cancel all affected card numbers and issue new cards. Of course, it remains to be seen if they -- or Target -- are willing to foot the related bill.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
billmosby
50%
50%
billmosby,
User Rank: Apprentice
12/19/2013 | 3:53:53 PM
Credit card theft is getting to be pretty normal.
Thank goodness I have never actually found anything I was looking for at Target in recent years. lol.
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
12/19/2013 | 3:28:58 PM
Yes, bring the miscreants to justice
This just plain hurts Target, and confidence in credit card use at retailers everywhere. Target's line about bringing the miscreants to justice was a brave one. If they and law enforcement can do that, maybe there's hope this won't become a commonplace. On the other hand, if they can't, that's a clue to why they couldn't prevent this break-in in the first place.
midmachine
0%
100%
midmachine,
User Rank: Apprentice
12/19/2013 | 1:51:46 PM
Re: Must have been Microsoft servers that got hacked
That is today's most idiotic comment so far...sheesh...
pmoore520
50%
50%
pmoore520,
User Rank: Apprentice
12/19/2013 | 1:40:38 PM
Re: Nice Holiday Present
A recent article I read clued me in to another scam where the cashier (could be any store) will indicate a 'cash back' was included in the transaction when in fact, the buyer did not want any cash back.  The cashier then pockets the extra money.  Check your receipts anytime you use plastic before walking away from the register.  It only takes a moment....
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
12/19/2013 | 1:39:51 PM
Re: Yikes.
The PCI spec is far from 100% secure. Its really just a minimal starting point.
Exit to Shell
50%
50%
Exit to Shell,
User Rank: Apprentice
12/19/2013 | 1:31:53 PM
Re: Yikes.
I don't think Target should be commended for anything. Coming clean in a hurry without offering any type of free credit monitoring service for the affected guests seems like an inauthentic apology. They are basicllay saying... Hey everyone - we're sorry, I'd keep an eye on my credit card statements if I were you. We'll see if they do something more credible as time passes.

Also, with the rate at which cards are being stolen... 40 million here, 160 million there, there has to be a better way to protect consumers. Hopefully these breaches will drive the credit card/security industry to come up with better system.
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
12/19/2013 | 1:25:40 PM
Re: Nice Holiday Present
The Rec Card is the way to go. Not only do you save 5% on purchases, but in this case Target could very easily cancel and re-issue all of them affected by this breach.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
12/19/2013 | 12:48:05 PM
Re: Yikes.
Thanks for the comment. Being compliant with a standard and reducing the risk of a breach to zero are two entirely different things. Being compliant with PCI means that an organization has followed a specific set of instructions for a specific set of controls and practices, like vulnerability scanning and encryption. But this doesn't mean an organization has eliminated all risk. The card brands (Visa, MasterCard, etc.) would like to conflate PCI compliance with invulnerability, but any security practitioner will tell you that invulnerability is an impossible standard.

Think of the PCI system as kind of like a driver's license. You pass a written exam and a driving exam and you get your license from the state. Then you get in an accident. The state comes along and levies extra fines against you for not having a license--because if you got in an accident, then you must not have really passed the test.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
12/19/2013 | 12:21:45 PM
Re: Nice Holiday Present
What good does a retroactive noncompliant finding do? Thanks for pointing out this important part of the story. We'll have follow up coverage.
IT-security-gladiator
20%
80%
IT-security-gladiator,
User Rank: Apprentice
12/19/2013 | 12:17:05 PM
Must have been Microsoft servers that got hacked
If Target were running Linux Apache servers this would not have happened. Wise up Target and dump your MicroKlunk Junk MS DOS iis servers asap!
<<   <   Page 2 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

CVE-2014-0762
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows physically proximate attackers to cause a denial of service (infinite loop or process crash) via crafted input over a serial line.

CVE-2014-2380
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

CVE-2014-2381
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.

CVE-2014-3344
Published: 2014-08-27
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq31129, CSCuq3...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.