Target Breach Update: Warnings Ignored

targetimages

UPDATE:

Target CEO is being replaced, after a 35-year career with the company.  News like that should get the attention of corporate boards looking at overall risk profile and how meaningful a data breach is to the bottom line.  Last week, Target announced new Chief Information Officer and additional security enhancements, including the move with MasterCard to incorporate chip-and-PIN technology in its own branded credit card.

http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1925811&highlight=

http://investors.target.com/phoenix.zhtml?c=65828&p=irol-newsArticle&ID=1923423&highlight=

UPDATE: Bloomberg BusinessWeek is reporting:

“In the days prior to Thanksgiving 2013, someone installed malware in Target’s security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. At the critical moment—when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe—the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers.”  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data#r=hpt-tout

“For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.”

 

See post below with description of the Target breach and the aftermath.

Now, it is being reported in the press that employees were aware that an analyst at the  retailer wanted to do a more thorough security review of its payment systems’ vulnerability to malware, but the request was brushed off.  This was in response to governmental/industry warnings in 2013 about the emergence of new types of malicious computer code targeting payment terminals.

http://www.usatoday.com/story/money/business/2014/02/14/target-warned-breach/5494911/

Trade group emerges:

On February 13, 2014, a new trade group headed by former governor Tim Pawlenty was announced.  The group is bringing together retail and financial services sectors.  The group’s goals include “improving card security technology and promoting the exchange of information in order to help companies ward off cyber attacks.”  The partnership was initiated by the Retail Industry Leaders Association and the Financial Services Roundtable. The American Bankers Association, the Consumer Bankers Association, Independent Community Bankers of America, The Clearing House and a number of merchant groups including the National Retail Federation are also participating.

http://www.americanbanker.com/issues/179_31/retail-banking-trade-groups-form-cybersecurity-partnership-1065605-1.html

Target Data Breach – Holiday Shopping Season 2013

INVESTIGATION UPDATE:

From KrebsonSecurity: Target’s HVAC contractor was the vulnerability for the attack–

“It’s not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.

***

It remains unclear when the dust settles from this investigation whether Target will be liable for failing to adhere to payment card industry (PCI) security standards, violations that can come with hefty fines.

Avivah Litan, a fraud analyst with Gartner Inc., said that although the current PCI standard (PDF) does not require organizations to maintain separate networks for payment and non-payment operations (page 7), it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network by personnel and all third parties — including vendor access for support or maintenance (see section 8.3).”

AND ON THE LITIGATION FRONT:

Banks file suit over their costs:

“The cancellation and reissuance of cards has caused significant damages and losses to Amalgamated and members of its class,” the company said in its complaint.

http://blogs.wsj.com/riskandcompliance/2014/02/07/banks-heap-suits-on-target-over-data-breach/

 

POST-BREACH REVIEW:

Notification to consumers (not just customers, apparently) appeared to be a phishing attack and with link to suspicious subdomain:

http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

CHRONOLOGY:

From the New York Times:-

DEC. 12 The Secret Service requests a meeting with Target.

13 Target is informed of the breach by the Secret Service and Justice Department.

15 Target removes the malware that evening.

17 Credit card companies are given information about which cards were compromised. Target determines 40 million customers were affected and tells financial firms it will publicly announce the breach on Dec. 18.

18 MasterCard and Visa begin informing banks of the breach. Brian Krebs publishes a story on the breach in the afternoon.

19 Target makes its first public acknowledgement of the breach.

20 Target tells its financial partners that credit card data and encrypted PIN data had been taken. JPMorgan decides at night to reissue all debit cards that were compromised and keep its branches open late over the weekend.

UPDATES:

Congressional hearing: Target and Secret Service representatives are asked to testify before the House Commerce sub-committee.  See:

http://thehill.com/blogs/hillicon-valley/technology/195664-target-to-testify-on-data-breach-next-month

And from Reuters: A cybersecurity firm, IntelCrawler, said it has uncovered at least six ongoing attacks at merchants across the United States whose credit card processing systems are infected with the same type of malicious software used to steal data from credit cards at Target Inc.  The attackers used an inexpensive “off the shelf” malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

http://www.reuters.com/article/2014/01/17/us-target-databreach-idUSBREA0G18P20140117

http://intelcrawler.com/about/press08

virusiStock_000003290536XSmall

Target, one of the largest US retailers, is reporting a data breach from November 27th through December 15th, involving consumer credit card data – customer name, card number.  News reports are estimating 40 million accounts impacted.Credit Cards

The Target website includes a banner at the top of the home page with a link to the current information.  Click to that link and Target has included the following information, so far:

“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013…

We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).”

See notice at:

https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

And news articles at:

http://www.reuters.com/article/2013/12/19/us-target-breach-idUSBRE9BH1GX20131219

http://www.latimes.com/business/money/la-fi-mo-target-40-million-credit-debit-cards-possibly-breached-20131219,0,774974.story#axzz2nvWL0Dlb

UPDATE:  It appears the magnetic strip is getting the blame for the security weakness and the fact that the data from the Target systems was unencrypted as the data transferred through the payment system.  Reportedly, 40 million accounts had names, credit/debit card numbers, expiration dates and three-digit security codes compromised.  Target has not yet specifically identified the method of access or weakness that allowed for the breach.

Experts suggest it is time for U.S. card issuers to go to the chip-card system, currently in use in most other markets, as chip cards use a different encrypted mathematical value for each transaction, making it harder for criminals to use stolen data for future purchases.

ADDITIONAL UPDATE:

PINs also breached:-

http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen/?_r=0

UPDATE AND COMMENTARY: 

What are the prospects for class litigation?  Will the claimants be able to string together an ‘actual injury’ theory or is it more likely that a “class” of financial institutions will bring suit?

http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed/?goback=%2Egde_88093_member_5828604845245898755#%21

See also top ten data breaches for 2013 (thanks to Daniel M. Ryan for graphs):

databreach2013Picture1

2013 Top 10 US Data Breaches 1