Potential Massive Target Retailer Data Breach

[ritchie58]

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.

 

It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

 

Article by: Brian Krebs, krebsonsecurity.com

[ritchie58]

I read an interesting AP story in the newspaper today. It stated that why so many American companys become victims of hacker activity is because we Americans still use the old 20th century technology of magnetic strips on our credit & debit cards. Some countrys have switched to using digital microchips that produce a random set of access account numbers each time the card is used which makes the cards very hard to exploit or replacate. That's why companys in the good ol' U.S. of A. are usually targeted. 20th century tech. being exploited by 21st century hackers! Magnetic strips for cards have been around since audio cassette tapes were first introduced to replace 8 track cassettes (remember those?)!

 

The article also stated that many companys are reluctant to spend additional resources for security for fear of loosing some almighty profits and thus being accountable to the shareholders. Then they try to pass the buck and blame someone else for the security breach. What about being accountable to the people that mean the most to a company staying afloat, the customers! Backwards thinking indeed by the retailers and credit card issuers in my opinion! Why have we not switched to the microchips too?

 

It's estimated that as many as 40 million Target customers may have been affected by this latest breach. Some Target customers are very upset, and rightly so, that the web site & customer service has been slow to respond or not been much of a help to the folks that may have been victims. They still don't know exactly how much or what type of data was stolen as the investigation continues. I'm sure this story isn't over yet!

 

Cheers, Ritchie...

[ritchie58]

This story "is" getting worse by the minute. Now some of that stolen data has surfaced on the black market! Here's an article by Nick Statt, CNET staff writer, outlining this latest development. Read on.

 

As if the Target hack ordeal couldn't get any worse -- data from the retail chain's massive security breach stolen between November 27 and December 15 is popping up in huge quantities on the black market, The New York Times reported Friday.

After Target conceded Thursday that its in-store point-of-sale systems were indeed hacked, compromising as many as 40 million debit and credit card accounts, fraud industry experts are seeing the information flood online card-selling markets to the tune of a "ten- to twentyfold increase" in high-value cards.

The hack, which affected only shoppers who made purchases physically at Target stores and not online customers, was a sophisticated operation. It allowed the hackers to glean customer names, credit and debit card numbers, expiration dates, and three-digit security codes from customers, data that can then be burned onto counterfeit cards and sold on the black market typically for $20 to $45 apiece.

However, Brian Krebs, the security blogger who broke the story of the breach, reported Friday that batches of up to 1 million cards were selling for anywhere from $20 to as high as $100 per card.

 

Target CEO Gregg Steinhafel released a statement assuring customers that no one will be held responsible for fraudulent charges and that only a few instances of fraud had since been reported. That echoes a sentiment by Visa yesterday in a statement to CNET in which a company spokesperson said, "Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows."

Steinhafel also said that no PINs had been compromised, a grave concern for those potentially affected as compromised PINs would allow one in possession of a counterfeit card to withdraw cash from an ATM. He added that Target had no reason to believe that customers' Social Security numbers or dates of birth were scooped up in the hack.

Target expects to have notified all 40 million of those affected via e-mail by the end of the weekend. In an attempt to save itself for what will inevitably be a disastrous hit to its holiday sales, Steinhafel also announced a promotion:

We're in this together, and in that spirit, we are extending a 10% discount -- the same amount our team members receive -- to guests who shop in US stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.

Update at 8:45 a.m. PT on December 21: Target is also claiming that only data from a card's magnetic strip has been breached, meaning no three- or four-digit security codes that enable one to make online purchases were compromised in the hack.