Target Data Breach – Holiday Shopping Season 2013

INVESTIGATION UPDATE:

From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–

“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.

***

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”

AND ON THE LITIGATION FRONT:

Banks file suit over their costs:

“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.

http://blogs.wsj.com/riskandcompliance/2014/02/07/banks-heap-suits-on-target-over-data-breach/

 

POST-BREACH REVIEW:

Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:

http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

CHRONOLOGY:

From the New York Times:-

DEC. 12 The Secret Service requests a meeting with Target.

13 Target is informed of the breach by the Secret Service and Justice Department.

15 Target removes the malware that evening.

17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.

18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.

19 Target makes its first public acknowledgement of the breach.

20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.

UPDATES:

Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee.  See:

http://thehill.com/blogs/hillicon-valley/technology/195664-target-to-testify-on-data-breach-next-month

And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc.  The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

http://www.reuters.com/article/2014/01/17/us-target-databreach-idUSBREA0G18P20140117

http://intelcrawler.com/about/press08

virusiStock_000003290536XSmall

Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number.  News reports are estimating 40 million accounts impacted.Credit Cards

The Target website includes a banner at the top of the home page with a link to the current information.  Click to that link and Target has included the following information, so far:

“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…

We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”

See notice at:

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

And news articles at:

http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219

http://www.latimes.com/business/money/la-fi-mo-target-40-million-credit-debit-cards-possibly-breached-20131219,0,774974.story#axzz2nvWL0Dlb

UPDATE:  It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system.  Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised.  Target has not yet specifically identified the method of access or weakness that allowed for the breach.

Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.

ADDITIONAL UPDATE:

PINs also breached:-

http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen/?_r=0

UPDATE AND COMMENTARY: 

What are the prospects for class litigation?  Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?

http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed/?goback=%2Egde_88093_member_5828604845245898755#%21

See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):

databreach2013Picture1

2013 Top 10 US Data Breaches 1

The IoT needs PByD: FTC Looking at Privacy and Security in the Age of Smart Homes

The Internet of Things is the phrase used to describe technology that talks to technology – connected sensors and embedded technology.  Think of smart homes – your refrigerator knows what and when to restock; your HVAC adjusts to your schedule; personal tech – your heart monitor talks to your health care provider.  The FTC recently convened a workshop to address privacy and security considerations surrounding the use of such applications; see:

http://www.ftc.gov/bcp/workshops/internet-of-things/FINALAGENDA-11-13-13.pdf

In conjunction with the event, the Future of Privacy Forum  released “a whitepaper arguing for a new privacy paradigm in the new highly connected world.”

http://www.futureofprivacy.org/2013/11/19/fpf-releases-a-new-privacy-paradigm-for-the-internet-of-things/

The whitepaper authors argue that the consent/notice issues in dealing with the usual customer/consumer paradigm of managing privacy issues may not be relevant or sufficient in a world where the uses of data cannot be discovered until after the data has been collected, employed.  The argument now focuses on Privacy By Design strategies to tackle these thorny issues: anonymizing of data; transparency; codes of conduct; accountability/accessibility.

See IAPP summary of the workshop issues at:  https://www.privacyassociation.org/publications/is_notice_and_consent_possible_with_the_internet_of_things

If we don’t get a handle on this now, that wristband I’m wearing  may soon force me to add another mile to my jog because it knows what I had for lunch!  Let’s move, indeed!Exclamation Point with Social Technology and Internet Color Icon

And in more IoT news, along comes the worm:

http://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/#!

My new excuse – the bathroom scale’s been hacked!

Wow Scale

UPDATE:

Google has acquired Nest, the maker of “connected” thermostats and smoke detectors.  According to a statement one of Nest’s founders delivered to TechCrunch, Nest will only use customer information for “providing and improving Nest’s products and services,” indicating it will not be used for Google’s larger advertising schemes.  Of course, the commentators are lining up to speculate about what Google will do with all that data collected straight from a consumer’s home., much in the way consumers have been using connectivity in their cars.  And now Detroit is increasing that connectivity with cars that will be able to connect to the Internet independently, with the car using the custom apps on their own.

See info on Google acquisition of Nest: http://www.engadget.com/2014/01/13/google-acquires-nest/

And, GM’s 2015 roll-out of more connected cars: http://business.time.com/2014/01/07/your-car-is-about-to-get-smarter-than-you-are/

Fun from tomfishburne.com:

 

And then along came Fridge Spam:

-More than 750,000 Phishing and SPAM emails Launched from “Thingbots” Including Televisions, Fridge-

“The attack is believed to be one of the first to exploit lax security on devices that are part of the ‘internet of things.”

See press release from Proofpoint: http://www.proofpoint.com/about-us/press-releases/01162014.php

And, BBC update:

http://www.bbc.co.uk/news/technology-25780908#!

 

 

 

Retaliatory DDoS Attack and Large-Scale Hacking: The Threats Continue

spamkeyboard

Two headline grabbing criminal cases bring stark reminders that services and data remain vulnerable to unauthorized access, misuse and abuse.

In one case, Dutch authorities are holding a suspect on suspicion of participating in a distributed denial of service attack.  Reportedly, the attacks slowed Internet service globally for several days in April (especially for Russia and other European countries).  The authorities suspect that the attacks were in retaliation for postings by a spam-tracking service provider, which listed the accused’s web-hosting service as a suspected spammer.

In the other, old school meets new school.  In February, thieves struck ATMs for over 10 hours, withdrawing $2.4 million in New York City alone. The thieves were part of an Internet hacking ring which was able to manipulate financial information through an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards.  The hacking allowed the thieves to raise the withdrawal limits on the prepaid debit accounts issued by a bank in the United Arab Emirates, the National Bank of Ras Al-Khaimah, a/k/a Rak Bank.  Using prepaid cards does not set off account alarms as quickly because no individual bank account is being compromised.  With five account numbers, hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards.

MasterCard alerted the Secret Service to the activity soon after the transactions were completed.  The thieves first struck in December via the Indian processing company but by February, the hackers had infiltrated a card processing company based in the U.S. (name not yet disclosed).  It remains unclear who ultimately is responsible for the losses.

creditcardwith lock laptop

See NYT articles:

http://www.nytimes.com/2013/05/09/technology/09iht-spam09.html?ref=technology&_r=0

http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

See another update – vendors identified (EnStage and ElectraCard):

http://www.reuters.com/article/2013/05/11/net-us-usa-crime-cybercrime-india-idUSBRE94A06P20130511?feedType=RSS&feedName=topNews

 

NYT Article on BYODs, Workplace App Policies

interiors of an office

This is a nice overview of the concerns facing employers who have an active, creative workforce using websites and apps that are not necessarily in comformity with in-house security standards.  See article at:

http://www.nytimes.com/2013/03/04/technology/it-managers-struggle-to-contain-corporate-data-in-the-mobile-age.html?pagewanted=2&hpw

Quotes from the article:

“People are going to bring their own devices, their own data, their own software applications, even their own work groups,” drawing off friends and contractors at other companies, said Bill Burns, the director of information technology infrastructure at Netflix. “If you try and implant software that limits an employee’s capabilities, you’re adding a layer of complexity.”

“The popular term now when people bypass the in-house organization is ‘shadow I.T.,’ ” says Sunny Gupta, chief executive of Apptio.

In the comments section below the article, many industry observers share their thoughts:

From Milwaukee, one says:

To be honest, the problem isn’t really the integrity of the apps, but the app user. If a person is going to mis-use proprietary information, they will do it, security or no security.

From New York, the comment is:

HIPPA rules are only taken seriously after the breach, fine or lawsuit. BYOD is what keeps hospital CIOs and CEOs up late at night.

Another suggests corporate IT teams continually lag behind what their personnel wants or is doing.  One suggests IBM SmartCloud.  And, finally, others mention that the best security is no outside devices inside the office or an agreement by the employee to have their device readily available and subject to getting wiped clean remotely without notice.