In a statement posted on its website, Target said unauthorized access to payment card data "may have impacted certain guests" who made credit and debit purchases at its U.S. stores.
"Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue," the statement says.
The data theft took place from Nov. 27 to Dec. 15, according to Target, and "may have impacted" 40 million customers. The company has not officially said how the breach occurred, but many experts suspect a compromise of the point-of-sale systems data at brick-and-mortar stores because Target said its online business "was not affected."
From the courts to social media, Target customers have reacted badly to the news of the breach. A customer in California filed a class-action lawsuit against Target late on Thursday. Samantha Wredberg said in a court filing that she was a regular shopper at Target and made a purchase at a company store on Dec. 8. Wredberg is seeking damages and requested the court to certify the lawsuit as class action.
Wredberg also asked the court to determine whether "Target unreasonably delayed in notifying affected customers of the data breach."
Target's stock was down 2.2 percent at $62.15 on the New York Stock Exchange on Thursday. Many customers made negative posts on the Target Facebook page, some stating that they will no longer shop at the company's stores.
The security industry reacted quickly with comments about the breach. Some speculated on the cause of the breach, while many others drew lessons and conclusions from its occurrence:
• "It appears that the majority of this information was taken from the point-of-sale (POS) machines themselves, which were infected by malware that intercepted the data itself during the magstripe swipe," said Kevin O'Brien, director of product marketing at CloudLock, in an analysis of the breach.
"Target's POS machines were most likely designed to be fast, convenient, and easy for store employees and customers to use and maintain," O'Brien said. "However, they were responsible for moving and managing a tremendous amount of high-value information, and it is clear that the security and monitoring systems in place were inadequately designed and managed."
• "The most likely scenario is the attackers hacked their way to a central relay point [in Target's POS network], where they could snag credit cards coming through for processing from multiple stores," said Lucas Zaichkowsky, enterprise defense architect at security incident response firm AccessData. "A second, less likely possibility is that the attackers identified a weakness replicated across multiple stores. They would then break into all affected locations the same way and set up their tools that sniff credit card data at the store level."
• "Recently, we have seen that attackers have been increasingly focused on small businesses and retail merchants," said Bala Venkat, chief marketing officer at application security firm Cenzic. "When searching for vulnerable targets, attackers are discovering that many retail merchants and point of sale terminals haven't implemented some of the basic security measures required by the PCI DSS (Payment Card Industry Data Security Standard).
"As a result, attackers increasingly are seeking to compromise the retail merchants environments through targeted, 'production line'-type attacks," Venkat said. "Unfortunately, these attacks go undetected for long periods of time due to a lack of monitoring by the retail merchants."
Although some Target customers complained that the retail giant took too long to inform them about the breach, most security experts agreed that the company reacted relatively quickly compared to other attacks on retail chains. Many experts compared the breach to the massive TJX compromise of 2007, which affected even more customers than the Target breach.
"What's most surprising about the Target breach isn't that it happened, but the speed with which Target was able to react -- the window of time that the breach was in force was only a few weeks," noted Mike Murray, managing partner of MAD Security, a firm that focuses on human vulnerabilities and solutions for enterprise security.
"This is a great deal more effective than we've seen in other breaches," Murray said. "We need not to be punishing Target, but rewarding them for their vigilance -- especially when the easiest behavior would have been to ignore their information security responsibilities or attempt to sweep the issue under the rug."
Many experts pointed out that the data compromise indicates a possible breach of PCI DSS guidelines set by payment card providers, and that fines for negligence may follow. Attorneys General in New York and Massachusetts told the media that they have asked Target for more information about the breach and will evaluate whether the proper controls had been implemented.
"This raises the question, was Target PCI-compliant?" asked W. Hord Tipton, managing director at security professionals' association (ISC)2. "Most of the time in these investigations, companies hit like this aren't really in compliance."
Some retailers that have experienced major breaches were later found to be PCI compliant at the time of those breaches, which suggests that the guidelines may not be strong enough, Tipton stated.
"This breach puts PCI on the hot seat," Tipton said. "Is this standard still the right one? Technology changes so quickly, and threat actors continue to advance their techniques. Do we need better standards that can keep up with the changing threat landscape? I'd say yes."
While the industry struggles with the right standards, Target will have to take steps to keep its customers, said Conan Dooley, security analyst at Bishop Fox, a consultancy that helps enterprises evaluate their defenses and audit their compliance with security guidelines.
"How [the compromise] affects Target's sales over the holidays is going to be largely determined by how they react to this breach," Dooley said. "They could provide insight into the processes and resources being used to reassure customers that their data will be safe in the future. Or they could fail to handle the problem gracefully and erode the faith that consumers have in the brand.
"I think the best way for Target to regain trust would be to not only catch the individuals responsible, but also illustrate how they have secured their infrastructure against the threat of future attacks," Dooley stated. "The worst reaction they could have would be to downplay or trivialize the seriousness of the breach, only to have their systems compromised again in the future."
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.