Attacks/Breaches
12/19/2013
10:19 AM
Connect Directly
RSS
E-Mail
50%
50%

Target Confirms Hackers Stole 40 Million Credit Cards

Hackers' 19-day heist scoops up all ingredients required to make counterfeit cards.

Hackers have successfully stolen 40 million credit and debit cards from retail giant Target.

The retailer confirmed Thursday that the massive data breach, which occurred between November 27 and December 15, resulted in attackers gaining "unauthorized access" to customers' names, credit or debit card numbers, card expiration dates, and three-digit CVV security codes. That information is all that criminals would need to make fraudulent transactions online or create working, counterfeit cards in the names of customers -- or in Target's marketing-ese, "guests."

"Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its US stores," according to a statement released Thursday by Target. "Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue."

Target said it had immediately notified law enforcement agencies as soon as it discovered the breach, and that it planned to hire a third-party digital forensics firm to investigate the breach and recommend information security improvements.

"Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," said Gregg Steinhafel, Target's president and CEO, in a statement. "We take this matter very seriously and are working with law enforcement to bring those responsible to justice."

[What's on your list? My 5 Wishes For Security In 2014.]

The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. "Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday," said Matt Standart, HBGary's threat intelligence director, via email. "To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."

Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Target's IT infrastructure, might have served as "a distraction to give more operational security to the adversary," Standart said.

Target operates not only Target.com, but also 1,797 stores in the United States and 124 in Canada. But based on the company's statement, only card data from its brick-and-mortar US stores appear to have been compromised. "We can't say for sure that all stores were impacted, but we do see customers all over the US that were victimized," an anti-fraud analyst at one of the country's top 10 card issuers told security reporter Brian Krebs.

The massive breach puts an unfortunate wrinkle on Minneapolis-based Target's corporate promise: "Expect more. A lot more." While the breach didn't involve as many card numbers as the biggest such breach to date -- involving thieves stealing details on up to 90 million cards from T.J. Maxx parent company TJX, it is well above last year's theft of 1.5 million accounts from payment processor Global Payments. In July, meanwhile, the Department of Justice announced charges against a Russian cybercrime ring that was accused of hacking into the systems of such businesses as NASDAQ, 7-Eleven, and JetBlue and stealing 160 million credit card numbers.

Target will now face sharp questions about whether it was storing card data in encrypted format, and whether it had been certified as being compliant with the Payment Card Industry Data Security Standard (PCI-DSS). A Target spokesperson, emailed for comment on the above questions, didn't immediately respond.

But the retailer is to be commended for coming clean about the breach relatively quickly. The company Thursday posted a data breach notification on its site that includes extensive details -- including state-by-state breakdowns -- about how customers can monitor for any identity theft that might result.

Target has warned customers to beware of fraudulent use of their credit and debit card numbers. "If you see something that appears fraudulent, REDcard holders should contact Target, others should contact their bank," the company said, referring to its Target-branded "REDcard" debit and credit cards. But so far, the company hasn't offered to provide free identity theft monitoring services to affected customers. But anyone hit with credit or debit card fraud should be able to contest the charges with their card issuer, provided they do so in a timely fashion -- usually within 60 days of receiving a related statement.

Going forward, the concern is that anyone who shopped at -- or with -- Target during the 19-day breach window is that the stolen card data could be used at any point in the future. Hackers often sell stolen card data in bulk to others via carder forums and other underground cybercrime marketplaces. Other criminals may then purchase the information and use it to make fraudulent online purchases, or encode the information into fake credit cards. These forged cards are distributed to money mules, who use them to make fraudulent in-store purchases. They then resell the goods to amass cash.

In the case of the Target breach, this cybercrime cycle could be broken if credit card issuers cancel all affected card numbers and issue new cards. Of course, it remains to be seen if they -- or Target -- are willing to foot the related bill.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
kwieting
100%
0%
kwieting,
User Rank: Apprentice
12/19/2013 | 12:16:21 PM
Re: Yikes.
ACM, Question:  How could a merchant possibly be compliant to any standard if they are breached?  It's ridiculous to think a merchant is compliant after the fact either.
Drew Conry-Murray
67%
33%
Drew Conry-Murray,
User Rank: Ninja
12/19/2013 | 11:49:16 AM
Re: Nice Holiday Present
Thanks for link from Avivah. She calls out something that has always frustrated me about PCI: that a certified compliant company can be retroactively found non-compliant if there's a breach. The card brands seem to want to promote the ridiculous fantasy that PCI is a perfect system, and if a compliant company gets breached, then it must have been because weren't really compliant. It's bizarre logic.

 
anon4768076153
50%
50%
anon4768076153,
User Rank: Apprentice
12/19/2013 | 11:48:23 AM
Re: Nice Holiday Present
After hearing the news about Target hackings,  I checked my statement and lo and behold,  (I just shopped the Target store in Kearny Mesa San Diego (Othello) and my $81.00 bill turned into $101.00, I think the store manager might want to check one of their employees ... at around 2:45pm 12/19/13 description of cashier: heavy set Black (sorry not a racist ! just a description)  Unfortunately I threw out my receipt after unloading the items.  Managers only have to remember one of their other employee, named Teresa who did the same thing !
MarciaNWC
100%
0%
MarciaNWC,
User Rank: Apprentice
12/19/2013 | 11:29:13 AM
Re: Nice Holiday Present
I also shopped at Target during the affected period, and am really frustrated. This breach underscores the broken nature of the payment card system. Gartner's Avivah Litan wrote a good analysis: http://blogs.gartner.com/avivah-litan/2013/12/19/what-can-we-learn-from-the-target-breach/.

 
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
12/19/2013 | 11:05:01 AM
Re: Nice Holiday Present
We've used the Target store credit card (Red Card) for our recent purchases there. Wondering if Target is better able to protect customers in that instance. If the crooks have that card #, at least they couldn't use it anywhere other than Target.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
12/19/2013 | 11:00:27 AM
Nice Holiday Present
As someone who shopped at Target during the breach period, I'll be spending the holidays taking a closer look at my card statements.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
12/19/2013 | 10:56:47 AM
Yikes.
What a nightmare. While Target should be commended for coming clean so quickly, it's unsettling that this type of ordeal could happen to such a large corporation and affect such a large number of people.
<<   <   Page 3 / 3
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.