From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–
“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.
It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.
Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”
AND ON THE LITIGATION FRONT:
Banks file suit over their costs:
“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.
Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:
From the New York Times:-
DEC. 12 The Secret Service requests a meeting with Target.
13 Target is informed of the breach by the Secret Service and Justice Department.
15 Target removes the malware that evening.
17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.
18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.
19 Target makes its first public acknowledgement of the breach.
20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.
Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee. See:
And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc. The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.
Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number. News reports are estimating 40 million accounts impacted.
The Target website includes a banner at the top of the home page with a link to the current information. Click to that link and Target has included the following information, so far:
“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…
We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”
See notice at:
And news articles at:
UPDATE: It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system. Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised. Target has not yet specifically identified the method of access or weakness that allowed for the breach.
Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.
PINs also breached:-
UPDATE AND COMMENTARY:
What are the prospects for class litigation? Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?
See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):