Target on Thursday disclosed that 40 million customer accounts might have been accessed by hackers between Nov. 27 and Dec. 15.
Customer names, credit and debit card numbers, card expiration dates and the three-digit security codes on the backs of cards were compromised when they were swiped through machines in stores. The data breach did not extend to online transactions.
Target is working closely with law enforcement and financial institution investigators, and it has partnered with a third-party forensics firm to conduct a thorough probe of the incident.
Customers should check their statements carefully and report suspicious or unauthorized activity to their credit card companies and to Target, the company advised.
A Common Occurrence
The timing of this security breach — at the height of the holiday shopping season — no doubt makes it worse for Target.
However, this is hardly the first instance of a retailer having to confess to millions of customers that their data was stolen.
“Credit card systems, like the ones utilized by big-box retailers, are designed with the customer in mind, rather than security,” noted Cigital CTO John Steven.
“This hack is not a standalone occurrence; it has happened before and will certainly happen again.”
A Worrisome Possibility
Target is remaining tightlipped about the technical details of the breach.
One possibility is that it resulted from malware being introduced to Target’s POS system.
There are several ways the systems could have been compromised, said Mike Gross, senior manager of risk strategy and professional services at 41st Parameter.
“There have been past examples of everything from drive-by downloads at the store level or centralized retailer network compromises, to vulnerabilities being exposed within the POS software or even malicious code tied back to the POS manufacturer,” he told the E-Commerce Times.
It is critical for Target and federal authorities to perform a full diagnostic of the attack to understand all of the potential points of vulnerability and how the data may have been transmitted back to the attackers, Gross emphasized. “If the issue does ultimately tie back to the POS manufacturer, then the breach could be much broader than originally thought.”
There are steps that Target can take to reduce the chances something like this could happen again.
For starters, the company should improve security on the POS devices themselves by ensuring that any encryption is being done in hardware rather than software, and that relevant patches are installed, suggested Kevin O’Brien, director of product marketing at CloudLock.
It should also follow best practices around handling PCI, including wireless security and physical security precautions, he told the E-Commerce Times.
Consumers need to be alert for unusual activity on their credit profiles — not just their Target credit cards, O’Brien added.
“Large retailers frequently correlate PCI data with buyer profiles, and if this theft — which was almost certainly the act of a well organized group of criminals, given the scope and logistical complexity of its execution — also involved these databases,” he said, “then the risk of that information being used to open new accounts and cards is significantly higher.”
As for shunning Target as a security precaution, the barn door is slammed shut, O’Brien quipped.
The crime seems to have been confined to a risk window between Nov. 27 and Dec. 15, he said. “It is most likely safe to use cards at Target again — although what the lingering reputation damage will be is an open question.”