BreachExchange mailing list archives
Target breach shows weaknesses in U.S. data security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Dec 2013 00:18:21 -0700
http://www.sfgate.com/business/article/Target-breach-shows-weaknesses-in-U-S-data-5083187.php#page-1 The security breach of credit and debit card data at Target Corp. is evidence of the increasing threats retailers face and a reminder that the U.S. lags behind much of the world in securing personal financial information. Target said Thursday that data for about 40 million debit and credit cards may have been wrongfully accessed from Nov. 27 to Dec. 15. Law enforcement, including the Secret Service, and the state attorneys general of New York and Massachusetts are looking into the matter. The chain said Friday that there have been few reports of fraud and that customers won't be held responsible for any that took place. The breach occurred when a computer virus infected Target's point-of-sale terminals, said a person familiar with the matter who asked not to be identified because the investigation is private. Swiping cards had been considered safer than shopping online because the data is harder to steal, according to Dan Kaminsky, co-founder and chief scientist at White Ops, a cybersecurity firm in New York. "Attacks of this scale are common, but attacks that get this class of data are unusual," Kaminsky said. "It's a war out there." While card terminals have been hacked in the past, the incidents typically occurred at a single machine or store, not chain-wide, which is why this breach is troubling, Kaminsky said. Target said account numbers, expiration dates, cardholder names and credit verification value had been compromised. That kind of data could be used to make counterfeit credit cards, Kaminsky said. Many nations have eliminated the magnetic strips still used in the U.S. and moved to chips embedded in the cards that are harder to compromise. U.S. payment processors have said they will replace magnetic strips by 2020; that deadline may be moved up in the wake of this incident, Kaminsky said. Data breaches have hit other retailers in the past. TJX Cos., owner of the T.J. Maxx and HomeGoods chains, reported in 2007 that hackers broke into its computer system and stole 45.7 million credit and debit card numbers. The theft set a record for such breaches. In 2009, the company paid $9.7 million in a settlement with 41 states over the loss of customer data. Largest in history In July, four Russians and a Ukrainian were charged in what prosecutors called the largest hacking scheme in U.S. history, breaking into computers of retail chains that included 7-Eleven, Carrefour SA and Wet Seal, and stealing more than 160 million credit card numbers. Global card fraud losses for banks, merchants and processors climbed 15 percent to $11.3 billion last year from 2011, according to the Nilson Report, a payments industry newsletter. Target's security and public relations challenges come as retailers gear up for the end of a holiday shopping season that ShopperTrak predicts will be the slowest since 2009. The last thing Target needs as rivals pour on discounts in a last-ditch grab for sales is for its customers to wonder whether they should use their cards, said Ken Perkins, an analyst for Morningstar Inc. in Chicago. "The timing could be a concern, especially only a few days before Christmas," he said. Lawsuit filed The breach also led to a lawsuit being filed in San Francisco by a customer claiming that she may have been exposed to identity theft and that "Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach," according to the complaint. Molly Snyder, a spokeswoman for Target, declined to comment on the cause of the breach, citing the investigation. A separate Target spokeswoman declined to comment on the lawsuit. Sales forecast The breach came after the chain had already cut its annual forecast for same-store sales growth to 1 percent from as much as 2.5 percent in August. Doubts about its security could reduce purchases and the number of people signing up for Target's in-house credit and debit cards, Perkins said. Those cardholders are the retailer's biggest spenders, he said. Jami Aspenwall, a 36-year-old mother of five from Cartersville, Ga., said she canceled her Target-issued debit card after someone made $500 in purchases with it. Those losses will now force her to postpone a trip to Florida to see relatives for Christmas because her bank said it may take two weeks to get the money back. "We'll have to sit down with the kids tonight and tell them your trip is likely on hold," said Aspenwall, a stay-at- home mother of kids ranging from 3 to 18. "I don't want to ruin their Christmas. It's not their fault." Shoppers at Target.com might be spooked, too. A link across the top of the site Thursday read: "important notice: unauthorized access to payment card data in U.S. stores." "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence," Chief Executive Officer Gregg Steinhafel said Thursday in a statement. Card companies The credit card companies said they are aware of the breach and are working with Target and law enforcement. Representatives from Discover Financial Services, Visa, MasterCard, American Express and JPMorgan Chase all said customers wouldn't be responsible for fraudulent purchases made on their accounts. In a letter posted on its website, Target encouraged customers to report any unusual activity on their accounts to their financial institutions. Target also said customers could call the company for assistance. The retailer's customers took to social media to voice displeasure about the breach and not being able to contact the company about their Target card accounts. One was Stephanie Manzano, a 28-year-old from Federal Way, Wash., who swore off Target after learning that data had been compromised. She canceled her Target debit card after not being able to reach the retailer's customer service. She now plans to shop at Walmart. "It's very stressful," Manzano, a mother of a special-needs child, said. "I kept calling Target, and I just got a busy signal. While I'm trying to call them, someone could take my identity and take my money. With a special-needs child, you're worried about your finances. We're a one-income household. We can't afford that." Target is working to fix online access to account information, Snyder said. She didn't respond to a separate request for comment on reports of fraudulent charges and canceled cards.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Target breach shows weaknesses in U.S. data security Audrey McNeil (Dec 24)