Attacks/Breaches
12/20/2013
08:36 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Target Confirms Massive Breach Affects 40 Million Customers

Target says data breach issue 'has been resolved,' but customers are up in arms

Retail giant Target confirmed Thursday that some 40 million customer credit and debit accounts may have been compromised in a breach of its online customer data.

In a statement posted on its website, Target said unauthorized access to payment card data "may have impacted certain guests" who made credit and debit purchases at its U.S. stores.

"Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue," the statement says.

The data theft took place from Nov. 27 to Dec. 15, according to Target, and "may have impacted" 40 million customers. The company has not officially said how the breach occurred, but many experts suspect a compromise of the point-of-sale systems data at brick-and-mortar stores because Target said its online business "was not affected."

From the courts to social media, Target customers have reacted badly to the news of the breach. A customer in California filed a class-action lawsuit against Target late on Thursday. Samantha Wredberg said in a court filing that she was a regular shopper at Target and made a purchase at a company store on Dec. 8. Wredberg is seeking damages and requested the court to certify the lawsuit as class action.

Wredberg also asked the court to determine whether "Target unreasonably delayed in notifying affected customers of the data breach."

Target's stock was down 2.2 percent at $62.15 on the New York Stock Exchange on Thursday. Many customers made negative posts on the Target Facebook page, some stating that they will no longer shop at the company's stores.

The security industry reacted quickly with comments about the breach. Some speculated on the cause of the breach, while many others drew lessons and conclusions from its occurrence:

• "It appears that the majority of this information was taken from the point-of-sale (POS) machines themselves, which were infected by malware that intercepted the data itself during the magstripe swipe," said Kevin O'Brien, director of product marketing at CloudLock, in an analysis of the breach.

"Target's POS machines were most likely designed to be fast, convenient, and easy for store employees and customers to use and maintain," O'Brien said. "However, they were responsible for moving and managing a tremendous amount of high-value information, and it is clear that the security and monitoring systems in place were inadequately designed and managed."

• "The most likely scenario is the attackers hacked their way to a central relay point [in Target's POS network], where they could snag credit cards coming through for processing from multiple stores," said Lucas Zaichkowsky, enterprise defense architect at security incident response firm AccessData. "A second, less likely possibility is that the attackers identified a weakness replicated across multiple stores. They would then break into all affected locations the same way and set up their tools that sniff credit card data at the store level."

• "Recently, we have seen that attackers have been increasingly focused on small businesses and retail merchants," said Bala Venkat, chief marketing officer at application security firm Cenzic. "When searching for vulnerable targets, attackers are discovering that many retail merchants and point of sale terminals haven't implemented some of the basic security measures required by the PCI DSS (Payment Card Industry Data Security Standard).

"As a result, attackers increasingly are seeking to compromise the retail merchants environments through targeted, 'production line'-type attacks," Venkat said. "Unfortunately, these attacks go undetected for long periods of time due to a lack of monitoring by the retail merchants."

Although some Target customers complained that the retail giant took too long to inform them about the breach, most security experts agreed that the company reacted relatively quickly compared to other attacks on retail chains. Many experts compared the breach to the massive TJX compromise of 2007, which affected even more customers than the Target breach.

"What's most surprising about the Target breach isn't that it happened, but the speed with which Target was able to react -- the window of time that the breach was in force was only a few weeks," noted Mike Murray, managing partner of MAD Security, a firm that focuses on human vulnerabilities and solutions for enterprise security.

"This is a great deal more effective than we've seen in other breaches," Murray said. "We need not to be punishing Target, but rewarding them for their vigilance -- especially when the easiest behavior would have been to ignore their information security responsibilities or attempt to sweep the issue under the rug."

Many experts pointed out that the data compromise indicates a possible breach of PCI DSS guidelines set by payment card providers, and that fines for negligence may follow. Attorneys General in New York and Massachusetts told the media that they have asked Target for more information about the breach and will evaluate whether the proper controls had been implemented.

"This raises the question, was Target PCI-compliant?" asked W. Hord Tipton, managing director at security professionals' association (ISC)2. "Most of the time in these investigations, companies hit like this aren't really in compliance."

Some retailers that have experienced major breaches were later found to be PCI compliant at the time of those breaches, which suggests that the guidelines may not be strong enough, Tipton stated.

"This breach puts PCI on the hot seat," Tipton said. "Is this standard still the right one? Technology changes so quickly, and threat actors continue to advance their techniques. Do we need better standards that can keep up with the changing threat landscape? I'd say yes."

While the industry struggles with the right standards, Target will have to take steps to keep its customers, said Conan Dooley, security analyst at Bishop Fox, a consultancy that helps enterprises evaluate their defenses and audit their compliance with security guidelines.

"How [the compromise] affects Target's sales over the holidays is going to be largely determined by how they react to this breach," Dooley said. "They could provide insight into the processes and resources being used to reassure customers that their data will be safe in the future. Or they could fail to handle the problem gracefully and erode the faith that consumers have in the brand.

"I think the best way for Target to regain trust would be to not only catch the individuals responsible, but also illustrate how they have secured their infrastructure against the threat of future attacks," Dooley stated. "The worst reaction they could have would be to downplay or trivialize the seriousness of the breach, only to have their systems compromised again in the future."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gosmartyjones
50%
50%
gosmartyjones,
User Rank: Apprentice
4/14/2014 | 3:18:30 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
As a PCI-QSA, I'm hearing stories that Target I.T. personnel simply were not being proactive, attentive - and worse - were well aware of the issue at hand.  This is unfortunately the same attitude I witness on a daily basis with many technology companies that store, process, and/or transmit cardholder data. It's always about how cheap, quick, and fast can somebody become compliant, just to say they are compliant.  Until companies start taking information security SERIOUSLY, this will continue. The most basic of security protocols, such as well-written security policies, sound patch and vulnerability management, employee security awareness training - often take care of the vast majority of security threats, but companies can't even find the time to undertake these basic elements.  Wake up I.T. world, and get serious about information security.
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
12/27/2013 | 11:50:01 AM
re: Target Confirms Massive Breach Affects 40 Million Customers
1. Target breach collected PIN numbers and Magnetic strip information, making the breached cards more useful, as well as card info. Some reports have mentioned that hackers also gleaned Target's customer profile information (including SSNs) to make (add on) purchase suggestions at checkout. On card smartchip would still have revealed customer identifiable information for identity theft.
2. Several top 10 retailers instal POS Terminal OS via bootp from store server (server provides updates to this and other equipment as welll) image which receives image updates from corporate IT. As a field tech, I found some corporate IT personnel to be less than professional in addressing "top down" issues.
3. I don't profess to know all financial/POS systems, however many I've encountered run on operating systems or processors on devices, and including "store servers", that have vulnerabilities. (I remember a local hack of Home Depot that lucky for HD the perpetrators had limited ambition.)
4. Corporate security is usually less strict (fewer resources assigned to it) than "loss prevention" implemented at the store level.
macker490
50%
50%
macker490,
User Rank: Apprentice
12/21/2013 | 12:22:45 PM
re: Target Confirms Massive Breach Affects 40 Million Customers
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web