Hello, Target shoppers. Just in time for the holidays, your credit card data has been compromised. And according to Brian Krebs, the purloined information has been “flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.” Krebs, who broke the story on his blog, Krebs On Security, on Wednesday, says that:
“[A bank, having been notified that a “card shop” with a reputation as a reliable source for stolen credit and debit cards] had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store…browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.”
But here’s the kicker:
“When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop,” says Krebs, “it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.”
The day after Krebs’ revelation, the retailer issued a statement confirming that the customer information for roughly 40 million credit and debit cards swiped at Target stores between 27 November and 15 December had been, well, swiped. The company initially thought that the period over which the breach yielded stolen payment card information ended on 6 December, but as the investigation into the break-in continued, those hopes were dashed.
The team looking into the breach says it has found nothing to indicate that Target’s online customers were affected. What’s not known at this time is whether the hackers were able to gather PIN information for debit transactions. If they did, it would be possible to make phony cards that could empty bank accounts by withdrawing cash from ATMs.
Why the bricks-and-mortar and not the e-commerce customers? Though nothing has been confirmed, computer security experts suspect that the attackers went for the retailer’s point-of-sale (POS) system, the point of entry seen as the weakest link. The vulnerability of point-of-sale systems lies in the fact that they’re “usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider,” Mark Bower, vice president of product management at Voltage Security, said in a statement. “In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable,” says Bower.
Target will get a chance to explain exactly how it happened in court. A Bloomberg Businessweek article says that a California resident affected by the data breach has already filed a lawsuit against the company. The complaint asserts that, “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” The plaintiff, says the article, is looking to make it into a class-action suit.
Furthering the indignity, the retailer's online systems and call centers have been overwhelmed by a torrent of customers trying to find out more about the attack and to determine whether they had been affected, according to the StarTribune—the hometown newspaper of Minneapolis, Minnesota,-based Target.