Target Breach Update: Warnings Ignored

targetimages

UPDATE:

Target CEO is being replaced, after a 35-year career with the company.  News like that should get the attention of corporate boards looking at overall risk profile and how meaningful a data breach is to the bottom line.  Last week, Target announced new Chief Information Officer and additional security enhancements, including the move with MasterCard to incorporate chip-and-PIN technology in its own branded credit card.

http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1925811&highlight=

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1923423&highlight=

UPDATE: Bloomberg BusinessWeek is reporting:

“In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#r=hpt-tout

“For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”

 

See post below with description of the Target breach and the aftermath.

Now, it is being reported in the press that employees were aware that an analyst at the  retailer wanted to do a more thorough security review of its payment systems’ vulnerability to malware, but the request was brushed off.  This was in response to governmental/industry warnings in 2013 about the emergence of new types of malicious computer code targeting payment terminals.

http://www.usatoday.com/story/money/business/2014/02/14/target-warned-breach/5494911/

Trade group emerges:

On February 13, 2014, a new trade group headed by former governor Tim Pawlenty was announced.  The group is bringing together retail and financial services sectors.  The group’s goals include “improving card security technology and promoting the exchange of information in order to help companies ward off cyber attacks.”  The partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable. The American Bankers Association, the Consumer Bankers Association, Independent Community Bankers of America, The Clearing House and a number of merchant groups including the National Retail Federation are also participating.

http://www.americanbanker.com/issues/179_31/retail-banking-trade-groups-form-cybersecurity-partnership-1065605-1.html

Cases and Classes: Updates on Litigation, Decisions Relating to Data Breaches

Sony

In the Sony Gaming Networks litigation, currently pending in the U.S. District Court for the Southern District of California, the trial court entered a decision on January 21, 2014 ruling on Sony’s Motion to Dismiss class action litigation, which arose out of the April 2011 breach of Sony’s PlayStation Network. Sony sought dismissal of plaintiffs’ First Amended Complaint on several grounds, including standing. Sony argued that plaintiffs did not have standing to pursue non-Ohio state law claims on behalf of non-Ohio residents (the consolidated action includes Named Plaintiffs from Massachusetts, New Hampshire, Florida, California, Missouri, Michigan, Texas, Ohio and New York – fifty-one claims in the consolidated action, included negligence, negligent misrepresentation, breach of express/implied warranty, violation of state consumer protection statutes, violation of the CA Database Breach Act, violation of FCRA and bad faith). The court dismissed without leave to amend the Ohio and FCRA claims. In addition, Sony sought to dismiss on the basis of Article III standing – that plaintiffs’ allegations failed to allege an “injury-in-fact” as a result of the intrusion. Essentially, Sony sought another ruling on the issue in light of the Supreme Court’s ruling in the Clapper v. Amnesty International ruling. In Clapper, journalists and human rights activists alleged they were potential targets of the government under the Foreign Intelligence Surveillance Act (“FISA”) because their work requires them to communicate with international subjects. The Clapper plaintiffs argued that they would be targeted under the Act and they already had undertaken costly and burdensome measures to protect the confidentiality of international sources. The Supreme Court found that the claimants failed to show that the “threatened injury” was “certainly impending.” The Supreme Court stated that a “speculative chain of possibilities … based on potential future surveillance” was not enough. The Supreme Court also noted that if parties could base Article III standing on reasonably incurred costs to avoid the risk of future harm, this would water down the fundamental requirements of Article III.
Sony argued that the Clapper ruling resulted in a more “tightened ‘injury-in-fact’ analysis” than the standard relied upon by the trial court (under Krottner v. Starbucks). Judge Battaglia in the Sony Gaming decision refused to acknowledge a distinction between the analyses he previously made based on Krottner and the Supreme Court’s standards outlined in Clapper. Judge Battaglia stated that courts in the Ninth Circuit “have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed…” Judge Battaglia said that although Sony argued that plaintiffs’ allegations were insufficient because none of the named plaintiffs alleged that their personal information was actually accessed by a third party, nonetheless, plaintiffs “plausibly alleged a ‘credible threat’ of impending harm…”
So, another test of the injury-in-fact issue relating to so-called fear of identity theft. The cases cited by Judge Battaglia addressed whether personal information was disclosed (Facebook), whether personal information was even exposed (LinkedIn) or whether personal information had been disseminated (Google). The distinctions in the cases regarding whether a plaintiff can allege some kind of injury, for now, appear to relate to whether a court finds that the plaintiff(s) have alleged sufficient facts to show some kind of collection and disclosure of personal information. As more and more data breach scenarios are tested in class litigation, we likely will see courts continue to refine this analysis.
Kaiser
In other breach news, the Attorney General for the State of California filed suit on January 24, 2014 against Kaiser Foundation Health Plan alleging violations of unfair business codes because of Kaiser’s alleged delay in disclosing a breach of its security systems. The AG alleges that on September 24, 2011, Kaiser learned that an external hard drive containing unencrypted personal information of former and current Kaiser employees had been purchased by a member of the public at a thrift store in Santa Cruz. Included in the data were employee names, SSNs, DOBs, addresses and personal information of some employee spouses and children (data going back to 2009). Kaiser secured the data and conducted an exam revealing over 30,000 SSNs and other sensitive information, which exam was completed by December 28, 2011. Kaiser continued the inventory and the AG alleges that Kaiser had sufficient information to identify and notify at least some individuals between December 2011 and February 2012. Instead, the AG notes, Kaiser began mailing letters on or about March 19, 2012. The AG also alleges that Kaiser violated CA code by publicly posting or displaying SSNs of 20,000 plus residents. The AG seeks $2500 for each violation.
Horizon
On January 28, 2014, a putative nationwide class action suit was filed against Horizon Healthcare Services (d/b/a Horizon Blue Cross Blue Shield of New Jersey) alleging that Horizon failed to secure PII and PHI including names, DOBs, SSNs, addresses, demographic information, medical histories, lab results, insurance information and other data collected by Horizon. The allegations deal with an incident in November 2013 when two unencrypted laptops were stolen from Horizon’s headquarters in Newark, New Jersey. Plaintiffs allege violations of the Horizon privacy policy; that Horizon did not undertake encryption measures even though it suffered a similar breach in 2008; that Horizon ignored government and industry warnings regarding encryption. The counts include violations of FCRA, negligence, breach of contract (the members’ health insurance contracts or handbook include privacy representations/safeguards), violations of NJ consumer fraud statutes (misrepresentations/omissions re: privacy policies and encryption; failure to destroy unneeded records; failure to expediently notify following a breach).
Yet another example of how the healthcare, health insurer industry will continue to remain a target given the wealth of member information they manage. As with the recent Target data breaches, predictably, legislators took the opportunity to investigate and interrogate company officials.  See article at:
http://www.nj.com/politics/index.ssf/2014/01/nj_senate_health_panel_grills_horizon_about_two_stolen_laptops.html

lawkeyshutterstock_148983662

Target Data Breach – Holiday Shopping Season 2013

INVESTIGATION UPDATE:

From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–

“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.

***

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”

AND ON THE LITIGATION FRONT:

Banks file suit over their costs:

“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.

http://blogs.wsj.com/riskandcompliance/2014/02/07/banks-heap-suits-on-target-over-data-breach/

 

POST-BREACH REVIEW:

Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:

http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

CHRONOLOGY:

From the New York Times:-

DEC. 12 The Secret Service requests a meeting with Target.

13 Target is informed of the breach by the Secret Service and Justice Department.

15 Target removes the malware that evening.

17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.

18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.

19 Target makes its first public acknowledgement of the breach.

20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.

UPDATES:

Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee.  See:

http://thehill.com/blogs/hillicon-valley/technology/195664-target-to-testify-on-data-breach-next-month

And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc.  The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

http://www.reuters.com/article/2014/01/17/us-target-databreach-idUSBREA0G18P20140117

http://intelcrawler.com/about/press08

virusiStock_000003290536XSmall

Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number.  News reports are estimating 40 million accounts impacted.Credit Cards

The Target website includes a banner at the top of the home page with a link to the current information.  Click to that link and Target has included the following information, so far:

“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…

We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”

See notice at:

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

And news articles at:

http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219

http://www.latimes.com/business/money/la-fi-mo-target-40-million-credit-debit-cards-possibly-breached-20131219,0,774974.story#axzz2nvWL0Dlb

UPDATE:  It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system.  Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised.  Target has not yet specifically identified the method of access or weakness that allowed for the breach.

Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.

ADDITIONAL UPDATE:

PINs also breached:-

http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen/?_r=0

UPDATE AND COMMENTARY: 

What are the prospects for class litigation?  Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?

http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed/?goback=%2Egde_88093_member_5828604845245898755#%21

See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):

databreach2013Picture1

2013 Top 10 US Data Breaches 1

The Office Workhorse is a Digital Machine

copyiStock_000004950258XSmall

And it is worth sanitizing.

On August 14, 2013, HHS announced a settlement with Affinity Health Plan, Inc. after investigating the finding of sensitive health data stored on copier hard drives.

photocopieriStock_000003018037XSmall

Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, was informed by CBS Evening News that CBS had purchased a photocopier previously used by Affinity that contained confidential medical information on the hard drive.  Affinity turned around and reported this breach to the HHS Office for Civil Rights on April 15, 2010.  Affinity estimated that up to 344,579 individuals may have been affected by the breach.

OCR reports that its investigation revealed that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  Affinity and OCR negotiated a settlement, which included a $1.2 million payment and “a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.”

See HHS press release: http://www.hhs.gov/news/press/2013pres/08/20130814a.html

California AG Issues Report on Data Breaches Covering 2012

stock-illustration-19023722-california-flag-icon

In a report issued July 1, 2013, the California Attorney General, Kamala Harris, notes that more than 2.5 million Californians were “put at risk” by data breaches in 2012.  The Data Breach Report 2012 (“the Report” or “the Data Breach Report”) cites key findings: 131 data breaches reported to the AG in 2012; the average breach incident involved 22,500 individuals; more than 28% of the breaches would not have required notification if the data had been encrypted; the retail industry reported the most data breaches; and, more than half of the breaches were the result of intentional intrusions by outsiders or unauthorized insiders.  See link to AG website:  http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million.

Notably, Attorney General Harris provides some recommendations:

  • Companies should encrypt digital personal information
  • Companies and agencies should review and tighten security controls
  • Companies and agencies should improve readability of breach notices
  • Companies and agencies should offer mitigation products
  • And, in a message to the Legislature – amend the breach notification law to require notification of breaches of online credentials, such as user name and password

This last recommendation would appear to significantly alter the notification landscape as there are numerous breaches that do not fall within the reporting/notifying criteria given the nature of the information impacted.  States with notification statutes have used a variety of ways to define personal information (e.g., SSNs, bank information, routing numbers, taxpayer IDs) and typically the definition is based on the assumption that access to such information leaves a resident of that state more susceptible to some type of credit or financial fraud.  The Data Breach Report notes that, in recent years, intrusions online have targeted passwords and other account credentials, which then allows criminals access to the account information (specifically referencing news reports on Sony, Yahoo!, the New York Times and Twitter).  The Report highlights the social engineering aspect of data security: most consumers do not use unique passwords for all of their accounts.  A takeover of one account may result in access to all, “including banking and other supposedly secure accounts.”

The Report specifies that the incidents reported on were submitted to the AG in 2012, while some occurred earlier and some breaches that occurred in 2012 were reported in 2013.  Also, the Report does not cover the universe of data breaches, given that the notification law requires reporting to the AG only on breaches of electronic data affecting more than 500 individuals.

Another recommendation to the Legislature is a law to require the use of encryption to protect personal information on portable devices and media and in email.  Other than the statutory suggestions, the Report serves as a guidepost for businesses, given the admonishments regarding improvement for security, clarity/accessibility in the actual notification texts and encouraging the notifying entities to offer credit security freezes.  With respect to the last point, the Report underscores another serious type of ID theft: new account fraud.

California

BREACH REPORT 2012

iStock_000019699898XSmall

Retaliatory DDoS Attack and Large-Scale Hacking: The Threats Continue

spamkeyboard

Two headline grabbing criminal cases bring stark reminders that services and data remain vulnerable to unauthorized access, misuse and abuse.

In one case, Dutch authorities are holding a suspect on suspicion of participating in a distributed denial of service attack.  Reportedly, the attacks slowed Internet service globally for several days in April (especially for Russia and other European countries).  The authorities suspect that the attacks were in retaliation for postings by a spam-tracking service provider, which listed the accused’s web-hosting service as a suspected spammer.

In the other, old school meets new school.  In February, thieves struck ATMs for over 10 hours, withdrawing $2.4 million in New York City alone. The thieves were part of an Internet hacking ring which was able to manipulate financial information through an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards.  The hacking allowed the thieves to raise the withdrawal limits on the prepaid debit accounts issued by a bank in the United Arab Emirates, the National Bank of Ras Al-Khaimah, a/k/a Rak Bank.  Using prepaid cards does not set off account alarms as quickly because no individual bank account is being compromised.  With five account numbers, hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards.

MasterCard alerted the Secret Service to the activity soon after the transactions were completed.  The thieves first struck in December via the Indian processing company but by February, the hackers had infiltrated a card processing company based in the U.S. (name not yet disclosed).  It remains unclear who ultimately is responsible for the losses.

creditcardwith lock laptop

See NYT articles:

http://www.nytimes.com/2013/05/09/technology/09iht-spam09.html?ref=technology&_r=0

http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

See another update – vendors identified (EnStage and ElectraCard):

http://www.reuters.com/article/2013/05/11/net-us-usa-crime-cybercrime-india-idUSBRE94A06P20130511?feedType=RSS&feedName=topNews

 

Apple, Facebook, Twitter: Mobile App Development Leads to Hacking?

wateringholeStock_000006594898XSmall spearStock_000004731498XSmall

Watering Holes and Spear Phishing

From AllThingsD:

http://allthingsd.com/20130219/this-is-the-site-likely-responsible-for-the-recent-major-tech-company-hacks/

“A ‘watering hole’ attack, in that it’s launched from a centralized, popular location that many people visit across multiple industries.”

Twitter reports at least 250,000 accounts affected.  Attack reportedly originated in Eastern Europe:

http://www.theverge.com/web/2013/2/19/4006868/hackers-exploit-java-vulnerability-apple-facebook-twitter#apple-facebook-and-twitter-hacks-reportedly-originated-in-eastern