Target breach shows weaknesses in U.S. data security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.sfgate.com/business/article/Target-breach-shows-weaknesses-in-U-S-data-5083187.php#page-1

The security breach of credit and debit card data at Target Corp. is
evidence of the increasing threats retailers face and a reminder that the
U.S. lags behind much of the world in securing personal financial
information.

Target said Thursday that data for about 40 million debit and credit cards
may have been wrongfully accessed from Nov. 27 to Dec. 15. Law enforcement,
including the Secret Service, and the state attorneys general of New York
and Massachusetts are looking into the matter. The chain said Friday that
there have been few reports of fraud and that customers won't be held
responsible for any that took place.

The breach occurred when a computer virus infected Target's point-of-sale
terminals, said a person familiar with the matter who asked not to be
identified because the investigation is private. Swiping cards had been
considered safer than shopping online because the data is harder to steal,
according to Dan Kaminsky, co-founder and chief scientist at White Ops, a
cybersecurity firm in New York.

"Attacks of this scale are common, but attacks that get this class of data
are unusual," Kaminsky said. "It's a war out there."

While card terminals have been hacked in the past, the incidents typically
occurred at a single machine or store, not chain-wide, which is why this
breach is troubling, Kaminsky said. Target said account numbers, expiration
dates, cardholder names and credit verification value had been compromised.
That kind of data could be used to make counterfeit credit cards, Kaminsky
said.

Many nations have eliminated the magnetic strips still used in the U.S. and
moved to chips embedded in the cards that are harder to compromise. U.S.
payment processors have said they will replace magnetic strips by 2020;
that deadline may be moved up in the wake of this incident, Kaminsky said.

Data breaches have hit other retailers in the past. TJX Cos., owner of the
T.J. Maxx and HomeGoods chains, reported in 2007 that hackers broke into
its computer system and stole 45.7 million credit and debit card numbers.
The theft set a record for such breaches. In 2009, the company paid $9.7
million in a settlement with 41 states over the loss of customer data.

Largest in history

In July, four Russians and a Ukrainian were charged in what prosecutors
called the largest hacking scheme in U.S. history, breaking into computers
of retail chains that included 7-Eleven, Carrefour SA and Wet Seal, and
stealing more than 160 million credit card numbers.

Global card fraud losses for banks, merchants and processors climbed 15
percent to $11.3 billion last year from 2011, according to the Nilson
Report, a payments industry newsletter.

Target's security and public relations challenges come as retailers gear up
for the end of a holiday shopping season that ShopperTrak predicts will be
the slowest since 2009. The last thing Target needs as rivals pour on
discounts in a last-ditch grab for sales is for its customers to wonder
whether they should use their cards, said Ken Perkins, an analyst for
Morningstar Inc. in Chicago.

"The timing could be a concern, especially only a few days before
Christmas," he said.

Lawsuit filed

The breach also led to a lawsuit being filed in San Francisco by a customer
claiming that she may have been exposed to identity theft and that "Target
failed to implement and maintain reasonable security procedures and
practices appropriate to the nature and scope of the information
compromised in the data breach," according to the complaint.

Molly Snyder, a spokeswoman for Target, declined to comment on the cause of
the breach, citing the investigation. A separate Target spokeswoman
declined to comment on the lawsuit.

Sales forecast

The breach came after the chain had already cut its annual forecast for
same-store sales growth to 1 percent from as much as 2.5 percent in August.

Doubts about its security could reduce purchases and the number of people
signing up for Target's in-house credit and debit cards, Perkins said.
Those cardholders are the retailer's biggest spenders, he said.

Jami Aspenwall, a 36-year-old mother of five from Cartersville, Ga., said
she canceled her Target-issued debit card after someone made $500 in
purchases with it. Those losses will now force her to postpone a trip to
Florida to see relatives for Christmas because her bank said it may take
two weeks to get the money back.

"We'll have to sit down with the kids tonight and tell them your trip is
likely on hold," said Aspenwall, a stay-at- home mother of kids ranging
from 3 to 18. "I don't want to ruin their Christmas. It's not their fault."

Shoppers at Target.com might be spooked, too. A link across the top of the
site Thursday read: "important notice: unauthorized access to payment card
data in U.S. stores."

"Target's first priority is preserving the trust of our guests and we have
moved swiftly to address this issue, so guests can shop with confidence,"
Chief Executive Officer Gregg Steinhafel said Thursday in a statement.

Card companies

The credit card companies said they are aware of the breach and are working
with Target and law enforcement. Representatives from Discover Financial
Services, Visa, MasterCard, American Express and JPMorgan Chase all said
customers wouldn't be responsible for fraudulent purchases made on their
accounts.

In a letter posted on its website, Target encouraged customers to report
any unusual activity on their accounts to their financial institutions.
Target also said customers could call the company for assistance.

The retailer's customers took to social media to voice displeasure about
the breach and not being able to contact the company about their Target
card accounts.

One was Stephanie Manzano, a 28-year-old from Federal Way, Wash., who swore
off Target after learning that data had been compromised. She canceled her
Target debit card after not being able to reach the retailer's customer
service. She now plans to shop at Walmart.

"It's very stressful," Manzano, a mother of a special-needs child, said. "I
kept calling Target, and I just got a busy signal. While I'm trying to call
them, someone could take my identity and take my money. With a
special-needs child, you're worried about your finances. We're a one-income
household. We can't afford that."

Target is working to fix online access to account information, Snyder said.
She didn't respond to a separate request for comment on reports of
fraudulent charges and canceled cards.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.