Target Says Data for 40 Million Shoppers Was Stolen

[Jake <jake () riskbasedsecurity com>]

http://www.nytimes.com/2013/12/20/technology/target-stolen-shopper-data.html?hpw&rref=business&_r=0

SAN FRANCISCO — Target confirmed Thursday morning that it was
investigating a security breach involving stolen credit card and debit
card information for 40 million of its retail customers.

In a statement,Target said that criminals gained access to its
customer information on Nov. 27 — the day before Thanksgiving and just
ahead of one of the busiest shopping days of the year — and maintained
access through Dec. 15.

“As of Dec. 15, we identified an unauthorized access and were able to
resolve the issue,” Molly Snyder, a Target spokeswoman, said in an
email.

A security blogger, Brian Krebs, first reported the breach on Wednesday.

Target said that criminals had stolen customer names, credit or debit
card numbers, expiration dates and three-digit security codes for 40
million customers who had shopped at its stores. The company noted
that online customers were not affected by the breach, which appeared
to have been isolated to the point-of-sale systems in Target’s retail
stores.

Immediately after discovering the breach, Target said, it alerted
federal authorities and financial institutions, and is currently
working with a third-party forensics firm on an investigation.

Brian Leary, a spokesman for the Secret Service, which investigates
financial fraud, said the agency was investigating.

Target advised its store customers to scan their credit and debit
accounts for unauthorized transactions and check their credit reports.

“We take this matter very seriously and are working with law
enforcement to bring those responsible to justice,” Gregg W.
Steinhafel, Target’s chairman and chief executive, said in a
statement.

Point-of-sale systems have become a major target for cybercriminals in
recent years. By breaching point-of-sale systems, they can steal the
so-called track data on credit and debit cards, which can be sold, in
bulk, on the black market and used to create counterfeit cards.

A similar breach affected Barnes & Noble stores last year. Last
year,criminals also breached Global Payment Systems, one of the
biggest card transactions processors. The biggest known security
compromise to date was an attack at Heartland Payment Systems, another
credit card processor, in 2009. Criminals used malware to break into
the company’s internal network and steal data for 130 million cards.

In such cases, security experts said a company insider could have
inserted malicious software into a company machine, or persuaded an
unsuspecting employee to click on a link that downloaded software
giving criminals a foothold into a company’s systems.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.