06
May 14

The Target Breach, By the Numbers

facebooktwittergoogle_plusredditpinterestlinkedinmail

News that Target’s CEO Gregg Steinhafle is stepping down has prompted a flurry of reports from media outlets trying to recap events since the company announced a data breach on Dec. 19, 2013. Sprinkled throughout those reports were lots of numbers, which got me to thinking about synthesizing them with some of the less-reported numbers associated with this epic breach.

numbers40 million The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.

70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.

46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.

0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).

0 - The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).

18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).

1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3-7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).

53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).

55 million – The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.

Update, May 7, 10:00 a.m. ET: The Guardian yesterday ran an op-ed that I wrote about the departure of Target’s CEO and the need for greater focus on security from the top-down across the retail industry.

Tags: , ,

136 comments

  1. Robert Stanley

    Cash Only-

    Why do people assume a CISO or CSO would have prevented, mitigated, etc. the breach? Most if not all of the executives/directors are people with an MBA, information assurance, or CISSP certificate. Again, do you really
    think one of these talking heads really knew (or cared) anything about their environment before the breach?

    Turning anything over to someone else, including security is not smart.

    Chip and pin or whatever, you can ALWAYS be pwned by a hacker or an insider -just face it. We are all probably having “our” information sold right now.

    0, 1, 2, 6…36…2600: number of days it takes for Target to become a victim again?

    • Robert Stanley wrote “… you can ALWAYS be pwned by a hacker or an insider -just face it” – presuming you meant “owned” you reflect the prevailing perception of a false reality.

      Cast aside preconceptions and think about the basic problem of identifying the consumer (the one who is supposed to pay the bill) and the paying the merchant (the one who provided the good or service). Think about a system that never exposes consumer credentials sufficient to make another charge to the merchant, and the merchant still gets paid. What the merchant (or any other intermediary) never has they can’t expose. End-to-end encryption isn’t required if what the consumer provides isn’t useful to a crook.

      Also think about breaking the inverse relationship between security and ease of use. In general increased security (like EMV for card-present transactions) require decreased ease of use (requiring a PIN for card-present transactions and a separate device for electronic or mobile commerce.) Consumers (and I generalize here) want security and ease of use.

      At least one way has been discussed for about two years, potentially providing increased security in all commerce modes (card-present, electronic / mobile, person-to-person, even paper based) without requiring a fourth party (such as PayPal), breaks the inverse relationship by providing increased security and increased ease of use, works within existing transaction and communications infrastructures (no new cards or terminals), and provides benefits for consumers, merchants and providers.

      • Robert Stanley

        Mr. Bob,

        Typo: pwned or owned

        You are insightful. Sounds like you copied the ease of use triangle from your CEH or ecurity+ book. I love “thinkers” like you…verbose and hollow.

        You are a true monkey humper : ()

        • Ummm, I’m not “Bob”, but you appeared to reply to me.

          I _am_ an original thinker, at least according to the USPTO, JPO and EPO who granted to me more than half a dozen patents.

          This is a security blog to share protection information.

          What you are sharing appears to be personal criticism that benefits no one. Anyone can complain. Where are your solutions?

          No more replies to you.

      • Thank you for the invitation to fantasize. Most of us don’t need it, however.

  2. Two points (and unfortunately, a longish comment):

    First point: the “46% loss” being bandied about in the other comments is a _reduction_in_profit,_ as Krebs points out, and not an actual monetary loss. The company still reported a profit of $520 million for the quarter. But it had recorded nearly $1 billion in profit during the last quarter of the previous year, and that difference is the 46% drop referred to.

    To put it in perspective, this means that the total cost of the breach — including the CEO’s going-away gift — could have been paid almost fully out of those reduced fourth-quarter profits.

    Also consider that the company received $44 million in insurance benefits related to the breach. It’s not a great deal compared to Target’s breach-related losses, but it helps.

    Second point: Target’s net losses from the data breach pale in comparison to the losses from expansion into Canada — which are pegged at US$941 million in actual money out the door for 2013.

    Averaged over the year, it means that Canada was a $240 million drag on Target during the fourth quarter — or roughly the same as the company lost in the breach. But Target Canada’s “gift” was/is a recurring one, while the breach was (we hope!) a one-time thing.

    It is quite possible that the CEO could have survived the impact of the breach, but still have had to strap on the golden parachute when the Canada numbers hit the fan …

  3. A number I would be interested in seeing, is how many IT staff Target laid off after this whole mess. I had a friend who worked for target in IT. 4 people at his location, all but the manager let go. He said that he contact several colleagues around the country (US) and they were all laid off at the same time, despite time zones. So, It appears Target laid off a majority of IT staff and are supposedly outsourcing IT now. Like that will fix the problem.

    • I worked at Target a few years back as a contractor, and I’ve got to say that was the (second) worst experience of my post military professional life. Then, there were so many many different information security groups, or silos, all doing their own thing and not talking to anyone.

      As for the “outsourcing”… there is no way to prove it, but my money would be that they tried to save money by off-shoring that IT work to Target-India (TI), this is where most of their development and DB activities are HQ’d. When I was their Target relied heavily on so it wouldn’t surprise me if this was the case. Also, let’s not forget that Target started those lay-offs BEFORE the breach was announced.

      • I believe the outsourcing mentality may come from the fact that I think the threat-alert system was outsourced for Target, and then internally the one in two thousand alerts was missed. So perhaps the board is thinking that everything should be outsourced (which itself represents a sort of security risk.) The clean sweep and start again concept maybe a mistake as it takes a *long time* to get up to speed on a new system and the folks who where there know it well. The bottom line is the new bread of CISO and CIO’s need to be both business savvy and super-geeky these days.

        Let’s face it the black-hats are winning hands down now, however, the balance of security power is a back-and-forth type of game I think.

        I believe what is really needed is some fresh new thinking on security at the foundational and framework levels.

        As a founder of the Excelsior Security Group I am currently trying to develop a framework of security for small and mid-size organizations. Also I am working with a development group for a a major managed services provider. We need a live data network and anonymous live threat sharing project maybe too. Perhaps, if we can identify some new thinking at this smaller level it will be helpful everywhere. I would love to work with anyone interested to move this forward.

        Briand Krebs, you are AWESOME and thanks for such incredible work that you do!

    • So long as the credit bureaus and banks are outsourcing it all what does it really matter? The whole credit foundation is built on shaky security ground to begin with.

  4. Thanks for confirming that had EMV (Chip&PIN) been implemented at Target without end-to-end encryption (even inside the POS terminal) it would have stopped ZERO sets of card information from being stolen.

    Does EMV protect consumers making internet purchases? Yep, just read from the horse’s mouth
    http://www.smartcardalliance.org/pages/publications-emv-faq#q12
    So now you need a “reader” to make purchases? Given that electronic and mobile commerce are growth sectors (especially compared to brick-and-mortar retailers) this is a PITA for consumers.

    The forced migration to this expensive technology is a giant step sideways for all constituencies: provider, merchant and consumer.

    • But if banks can ram through legislation similar to Europe, where every transaction is assumed to be valid and the onus is on the individual to prove fraud occurred, then it’s a major win for the banking industry. Their lax regulations and shoddy implementations need no corrections at all, all their problems just get legislated away.

      • Banks are no more in favor of chip and pin than anyone else, as it costs a lot of money to implement new systems, especially systems that DONT actually reduce fraud. It takes only slightly more effort to fraudulently use a chip and pin card than a magstripe one.

        And legislation has already been passed, and its actually not bad. If banks / merchants / acquirers dont support EMV by (i believe) late 2015, then the cost of the fraud will fall back on them, instead of the way it is now, where it falls on the issuer of the card, and is then passed back to consumers. So if the issuing bank doesnt provide EMV cards and there is fraud on the account, the bank is liable – if the issuing bank provided an emv card, but the retailer, or the retailers bank doesnt support emv, then fraud on that account goes to the retailer or retailer bank, depending on who didnt support it.

        • Just Me wrote “… the cost of the fraud will fall back on them, instead of the way it is now, where it falls on the issuer of the card, and is then passed back to consumers. “

          I’m pretty certain that as of early 2014, the cost of card fraud is borne by the merchant, not the provider. Regardless of who pays today, tomorrow or next year, consumers will still bear the costs in the end.

          As written in this blog: had EMV (Chip&PIN) been in effect the number of Target consumer accounts that would have been protected (absent additional end-to-end encryption) would have been ZERO. Additionally EMV increases complexity and imposes material costs in the form of new transaction and communications infrastructure requirements.

          There are other ways to provide increasing security while keep it easy-to-use, work via multiple avenues of commerce (card-present, electronic/mobile, person-to-person, even paper based) and without imposing costs like the $100M Target is budgeting to take the giant step sideways with EMV.

      • Seymor, I think you are grossly misinformed about liability in Europe.

        In a nutshell, the Payment Services Directive, which came into effect in fall 2009 says that a customer is NOT responsible for fraud, unless
        -he/she directly participated in it
        -he/she was grossly neglicent (and mind you it is now GROSS negligence, as opposed to some national legislation before)
        -he/she did not obeserve their responsibilities such as not writing down the PIN, leaving the card in a handbag in a locked car etc.

        While the Directive theoretically allows for a 150€ share of the fraud to be passed off to the customers, several states did away with that.

        So the situation is really nowhere near what you describe.

        And as regards cross-channel contamination to CNP environments:
        The CVx2 would still be missing, which IIRC is a mandate for at least one of the card schhemes.
        If the card is registered for 3d-Secure, as many issuera require, that eliminates a further, although still too small, due to poor merchant uptake, chunk of fraud possibilities. Here is me, as a card issuer, hoping that the ECB’s SecuRePay recommendations finally require universal 3d-Secure support at merchants.

      • SeymourB wrote

        “…every transaction is assumed to be valid and the onus is on the individual to prove fraud occurred, then it’s a major win for the banking industry. ”

        And a major loss for us. The weaknesses of EMV have been documented in the EU since at least 2008. See the references to technical papers, some excellent BBC videos and other news sources at http://nc3.mobi/references/emv/

  5. Just Curious

    It would be interesting to find out what percentage of affected card customers have signed up for the Experian credit watch service.

  6. Saying ‘don’t blame the CEO he got what he negotiated’ is a cop out. When are we going to wake up & realize the boards approving these pkgs are the same people who are CEO’s at OTHER companies & it’s all just a giant circle jerk! I pad your wallet, you pad mine. It’s just like anything else; be it big money, Wall Street, an auto company or whatever self-regulation does NOT work. We little folks are nothing to them & until we finally put our foot down nothing changes.

    • It’s not a “cop out.” It is no different than any other employment agreement.

      The best way to instrument change is to stop shopping at Target or vote out the members of the Board of Directors who are on the Compensation Committee.

    • The real fun happens when you realize that much of a CEOs compensation is tax-deductable for the company.

      So much of the CEO’s out-of-control overcompensation is paid for not by the company, but by taxpayers.

      • I dont think tax deductions means what you think it means. If someone (or some company) takes a deduction / write-off / etc, that doesnt mean the rest of us pay more due to that deduction – thats not how it works.

        • True. More money is printed for the banks to loan. Period.

          Remember parity with the Euro? On December 31, 2008, the parity was set at 1 Euro for 1.665 dollars.

          On Tuesday, May 6, 2014:
          The euro rose 0.4 percent to $1.3930 against the dollar

          On Tuesday, May 6, 2014:
          The US Dollar fell to its lowest-level in five-years against the Pound.

        • How interesting that you’re arguing semantics while blissfully ignoring the fact that CEO pay should never, in a million years, have been available for businesses to deduct from their taxes.

          This kind of nonsense is why so many corporations have had negative tax rates, meaning they not only get back all the taxes they’ve paid over the year, but the IRS cuts them a check on top of it.

          • It is a cop out. It’s verbalizing an excuse for unacceptable contracts with negative effects on the very company the CEO’s are purporting to run. And being able to deduct the CEO’s salary, golden parachute, etc is ridiculous. Employee salaries, health benefits, vacation & sick days are all treated as liabilities to be eliminated while a CEO’s salary, etc is considered an asset and an acceptable write off? That’s twisted BS!

          • You’re wasting your time – I’ve had this debate 1000x times and the people you’re trying to convince are not thinking about it as an entire system where everybody is linked, they see it as if ‘only’ every CEO in the country games the system it is great and they earned every million. They don’t realize that when 5000 CEOs do that and pull a half trillion out of the tax base, SOMEONE is going to have to make up the difference or else give up on schools, roads, and everything else that makes it possible for a country to operate. You might as well be arguing with them about religion because their tenets aren’t based in math or solid economic theory. Bringing it back to the topic at hand, when they can easily add 12 layers of fuzz between themselves and any responsibility or liability for their actions what would you expect to happen? If I dumped a jar of cookies in a kindergarten class, do you think they would calmly line up and fairly hand them out or zerg rush and shove all the other kids out of the way and gorge themselves as fast as they could? Basic human behavior 101

            • @Meh
              Of course you’re right, I don’t know why exactly I continue to bang my head against the wall. Perhaps that’s human nature too

              • Netflix has a lot of good shows on right now that talk about this kind of stuff, but they all stop short of any good solutions. The people who can this as a problem generally already do see it as a problem, the ones who don’t have already experienced the cognitive dissonance and rationalized it to justify the greed in case they are ever in the boat to do such a thing themselves. If you step back and look at the big picture, such events don’t happen in a vacuum and when these failures occur such as in this case, millions of people get hosed with the consequences. The stock market only cares about the price going up and is never going to put an adequate value on security or all the employees that make the day to day efforts that kept a lot of these business around for generations in the past – the new model is a quick rise and cash out with one guy walking away with millions at a low tax rate and the rest of us unemployed, dependent upon the already strained public resources, and literally missing our identity (since it got lost and sold in the process).

                • Meh wrote: “… good shows on right now that talk about this kind of stuff, but they all stop short of any good solutions.” Perhaps because drama and conflict sell better than compassion and resolution. Good news rarely makes good theater which is good for entertainment, but remember that the height of the Roman Circus came at the decline of the Empire. The people were fed and entertained and distracted from the looming disaster. Sometimes entertainment is what we want, but the last thing we need. I am certain there are good solutions out there, but compared to the most recent disaster it won’t be reported, let alone considered.

                  Meh wrote: “the ones who don’t [ see this as a problem ] have already experienced the cognitive dissonance …” True CD is unpleasant and people are motivated to resolve the dissonance to avoid the headache http://www.simplypsychology.org/cognitive-dissonance.html Sometimes people take the easy street and simple go with what they “know” rather than face a challenge to their preconceptions.

                  There are other neurological process variants that actually prevents them from seeing the problem. Their brain just diverts the information to the great bit bucket. This is why reasoning with true extremists of any kind is almost impossible, they just don’t hear it. Sometimes this is “Change Blindness” when people are over-stimulated and literally don’t see the gorilla waltzing thru the basketball court.

                  • True, but I feel the reason they don’t give any solutions is there basically aren’t any. Our leaders full well plan on taking us all down the road to living like 3rd world peasants and they feel no qualms at all about reaping 4x the gains they got from our parents. Its all the other folks that merrily cheer them on that are concerning, and anybody with any passable background in economics or math can see the path we’re on is already not sustainable and just getting worse. This boils into security since companies are the new warlords with all the assets and resources, the modern castles with their own private armies and walled off against all the other castles and armies. At some point the more pragmatic of us just want to see the lords of the castles go duke it out instead – lot easier all around. How much money have Apple and Google wasted on pointless lawsuits on decades old technology instead of just having a good old fashioned duel at dawn.

                    • Meh wrote: “The reason they don’t give any solutions is there basically aren’t any.”

                      As regarding charge card payments there is at least one.

                      As for the politics behind why it isn’t being adopted, that is outside my skill range.

          • Diane Trefethen

            I know this is off topic but the distinction between deductions from revenue (expenses) and deductions from taxes owed (credits) is important.

            @SeymourB, 2:33pm
            “much of a CEOs compensation is tax-deductable [sic] for the company”
            So are cost of goods sold, ordinary salaries paid to workers, shipping expenses, and almost all other costs of doing business incurred by a company.

            Your second comment, “So much of the CEO’s out-of-control overcompensation is paid for not by the company, but by taxpayers” suggests that you might think that executive compensation is a reduction of taxes paid. It is not.

            Nevertheless, your statement is true but only indirectly. To the extent that the Federal government needs to raise monies and corporations pay less in taxes because over-blown executive compensation reduces their net income, the burden to make up the difference falls on ordinary 1040 taxpayers.

            However, even greater contributions to the reduced taxes paid by companies vs ordinary taxpayers are 1) the reduction of the actual tax rates paid by corporations and 2) the expansion of allowable deductions. In 1960, a corporation’s first $25k was taxed at 30% and everything over that at 52%. [For reference, $25k in 1960 was approximately equal to $250k in 2013.] In 2013, the minimum corporate rate was 15% ($0-$50k), at that $250k point it is 34%, and the max is 38% for income over $15million but less than $18.333 million.

            @SeymourB, 8:34pm
            “CEO pay should never, in a million years, have been available for businesses to deduct from their taxes.” This statement reaffirms that you are under the impression that “CEO pay” is deducted from taxes owed (to repeat, it is not). “CEO pay” is as much a legitimate business expense as pay to any other employee. The problem with the deductibility of pay to executives isn’t that it is an allowable expense. The problem is that the amounts paid have grown grotesquely disproportionate to their actual services to their companies while the pay to ordinary salaried workers, the ones actually producing company income and whose productivity over the last 50 years has increased, has decreased in real dollars.

            • You, sir, are grossly mistaken. “Performance” pay is a tax deductible expense for corporations, and has been for some time.

              While all the CEO’s compensation is not deductible, portions of it are, and the “performance” portion of their compensation has skyrocketed in recent years as a result of this deduction. GE’s CEO, for instance, has received more income through “performance” pay than his regular salary for years. CEOs often get this “performance” pay even when the corporation is not doing well.

        • Income is used to pay expenses. While income can be supplemented by debt to pay expenses, eventually income will be used to pay expenses (+debt).

          If you’ve found some magic way of cutting your sources of income without cutting expenses, I think you’re in the wrong field, as economists would love to have you write a paper on the subject.

          Under current economic theory though, taxpayers pay for government, and if you cut taxes on one group that means the other groups will – over time – bear more of the burden of paying off accumulated debts.

    • General Motors’ new CEO will make 14.4 million in her first year. 58% more than her male predecessor (should we cheer because she’s a woman? I”m so torn…). Anyway, that comes to 0.000092% of the revenue, and .0026% of the net income. That’s why the boards don’t give a flip what people like us say or think. Now I think it would boost morale and company image if one of these fat cats capped herself at say $200,000, but is that likely to happen? Would any of YOU take 200k when you were offered 14.4 million? I also think there are unknowns out there who could do a better job running the company, but are unknown because they havent played their career cards right, nor read Machiavelli.

      • Nobody really cares that she got paid that much, except that usually these huge windfalls aren’t coming because they improved the company (58% in a year), it comes because they sucked that difference out of workers (also known to other companies as customers), and lessened the quality of their products to free up that wad of cash in one grab.

        I think the only real solution to this particular problem is making it so they can’t do that one massive grab and instead tax anything over a million a year at 90%, then if they insist on giving Bill Gates or Steve Jobs a billion dollars then the state and government also gets a good chunk to put towards education, roads, etc. More likely they would suddenly find their sense of long term quality, start paying workers something realistic, and price the CEO compensation at something more in line with their performance too. It is really a very simple problem, companies started doing this because they can – they have every reason to destroy a 100 year old company they didn’t found or bring to that point when they can walk away with 50 million dollars in a year or two.

  7. Target does many things right. But over the past years Target has limited themselves to their own skill level(s) and has shared very little with others in the industry unless it is to their benefit (disregard the 5% back to schools).

    They do not engage the “protection industry” as King Rogers did for example (Former SVP in Assets Protection/LP).

    They do have an opportunity to get back on track with the outside industry leaders and avoid the pit falls of single management thinking that is “we know it all, so you all follow us and the rest of you go lay down by your water dish”.

    I am sure the next CEO will shake up the organization, listen to other industry leaders and engage their own front line investigators within Target to get the best ideas… they will become more proactive I believe.

    Target is at $57.85 today, may be the time to buy?

  8. When will the Government start defending this Nation against attacks? If troops were massed on any of our borders, you can bet that we would scramble jets, send troops, and muster all the support needed to defend our border. There’s no difference in this Cyberwar. The Federal leadership is failing our Country and placing our critical infrastructure and our very existence in jeopardy.

    • @George.
      I am inclined to agree with you, particularly when one has regard to what should be the priorities in this area.
      However, and from an outsider’s perspective (non US citizen), how do you rate your chances of having your legislators presently agree on this matter, let alone any other?

  9. One related concern I’ve had that I don’t recall seeing any discussion about is Target’s habit of scanning people’s driver’s licenses when they purchased certain products rather than entering their dates of birth. Given that these are scanned using the mag stripe on the back, all data on driver’s licenses was collected (DOB, address, height, weight, etc). Curious if this database was also compromised as it would compound the risk dramatically beyond credit card data.

  10. 1 – the number of times required for someone who saw the IDS alarm to not treat it as a false positive, to limit the scope of the breach to be possibly much smaller.

    2 – the number of authentication factors that would have potentially helped prevent hacker logins from the 3rd-party HVAC company that lead to the intrusion.

    3 – a number that approximates 3.14159 or pi, mmmmm pie.

  11. Shakeel Mahate

    Another important cost that might be difficult to calculate precisely but maybe you could try to estimate is the amount of late fees and service fees paid by consumers whose credit cards were updated due to no fault of theirs and automatic payments scheduled on the old credit card accounts.

  12. Excellent numbers column, Brian. It’s funny how you drily point out the corporate responses. Everyone dutifuly reported the announced change to Chip and PIN without anyone having the wherewithall to note that that wouldn’t have prevented this whatsoever.

    I’m not even sure if Target understands yet what happened to them.

  13. 0 – The number of fraudulent purchases made with those stolen credit card numbers that will be prevented by providing victimized customers with a credit monitoring service.

  14. Target Selects MasterCard and EMV for Card Security

    http://newsroom.mastercard.com/news-briefs/target-
    selects-mastercard-and-emv-for-card-security/

    Mostly PR wording, but interesting to know :)

    “Target has long been an advocate for the widespread adoption of chip-and-PIN card technology,” said John Mulligan, executive vice president, chief financial officer for Target. “As we aggressively move forward to bring enhanced technology to Target, we believe it is critical that we provide our REDcard guests with the most secure payment products available. This new initiative satisfies that goal.”

    “Target and MasterCard are taking an important step forward in providing consumers with a secure shopping experience, and the latest in payments technology,” said Chris McWilton, president, North American Markets for MasterCard. “Our focus, together with Target, is on safety and security and a good consumer experience.”

  15. The criticism of Target amazes me. Let’s not forget, Target is the VICTIM of a crime. If someone walked into your house and stole all your possessions, including the ones that you had borrowed, you wouldn’t be hauled in front of Congress, fired from your job, and sued by everyone that ever walked into your house. Does Target have a responsibility to keep data secure? Of course they do. But, until we as a society stop blaming the victims of crimes and treating them like criminals, this will continue to happen.

    • @William
      While you are correct in saying Target is a Victim they are a victim of their own doing Their lack of diligence & protocols created the opportunity & therefore they had control over the depth to which they were victimized. We, the consumer, were victimized by Target’s negligence AND the hackers theft. And while we are ultimately responsible for our own behaviors and the consequences thereof, ie. using our debit cards in the first place instead of cash, there is an inherent amount of trust placed in a retailer & the entire processing system used, whether it’s deserved or not. I agree with you that we should not blame the victim (as a society we are horrible at this) but that doesn’t remove the victims responsibility to take measure with which to prevent future breaches. And where this situation differs from most ‘blame the victim’ cases is (and this is huge) they are a for-profit business NOT an individual with feelings.

    • No Target was merely the accomplice, the 40 million people with their information out there for sale are the victims.

    • The gross negligence in the protection of a customer’s credit card information (and all the other Private Information through driver’s license scanning) collected by Target, that was a result of not having applied remediating patches to well-known vulnerabilities in a timely manner, is a criminal act in and of itself under the Consumer Protection Act and PCI Standards.

      Target’s credit card purchase procedures were previously responsible of unauthorized purchases by persons who had cloned a valid card’s information to any plastic card complying with ISO Standard 7810 – this includes old expired credit cards, hotel room key-cards and other mag-stripe cards of the correct size. How you ask! The POS devices at the Target check-out lanes only required a card be inserted that had purchase-card information on the mag stripe. That card was never required to be handled, or even viewed, by the cashier. The card could literally be a completely flat, unembossed, hotel room key that had had the mag-stripe reprogrammed. A short Google search and an investment of under $1000 can yield this same technology to anyone.

      Target maybe a victim, in one perspective, of the information theft reported in Dec 2013; but their complicity in that crime makes them as guilty as the hackers that are selling that stolen info now. Target has a track-record, of putting their profit-margin before the security of customers’ account information, that dates back at least 5 years. They are in no way “Innocent Victims” in this case.

  16. @George,

    Why do you assume the government is doing nothing? Just because you can’t see what is happening on CNBC or Fox News doesn’t mean nothing is being done. Ever heard of Cyber Command or the NSA??

    • Very true @William. Just because we done ‘see’ what is happening is far from indicating the reality of the situation.

    • Why would you assume they ARE doing anything? What is the status quo – credit monitoring and insurance payouts and some lame apology and then business as usual until it happens again. This isn’t even the worst breach in the last 6 months, it happens all the time with the data brokers at a much higher volume and the government hasn’t done anything about them either. It would have to implicate many of them directly or threaten the entire banking system for it to pass the red tape circus they’ve held the last 40 years in the halls of congress. They are much too busy voting themselves raises and running for re-election to give a crap about the concerns of the masses.

  17. and..
    $0 the amount they would have lost if they had properly handled their security system alerts….

  18. There is an excellent 14 slide overview of Verizon’s analysis of data breaches available at

    http://www.slideshare.net/VerizonEnterpriseSolutions/2014-dbir-slideshare-9-attack-patterns-4-29-14

    A link to the full report is on the last slide.

    IMHO the presentation is simple and clear analyzing 100,000 incidents over the past 10 years. 92% of them broke down into just NINE basic patterns including POS attacks, web apps, insiders, physical theft and loss, crimeware, payment card skimmers, denial of service, cyber espionage and miscellaneous errors .

    The information probably won’t be anything new to most of us, but the presentation may be useful in communicating information to non-technical persons. It summarizes a miasma of important information into a series of well crafted bite-sized nuggets suitable for ingestion by those with a 30-second attention span.

  19. Great article. Regarding your first “0″ point, however, could you clarify?

    As it reads now, your sentence seems to suggest that Chip-and-PIN-enabled terminals would not have prevented any compromises against the perpetrators. Do you mean this or rather that zero cards would have been compromised had the Chip-and-PIN-enabled terminals been in place.

  20. I believe even end-to-end encryption can be defeated by memory-scraping malware. The device has to read the credit card number in order to encrypt it, and therefore the number is briefly exposed in memory before being encrypted. This is according to Adam Myers, VP of Intelligence at CrowdStrike, as cited in http://threatpost.com/ram-scraper-malware-a-threat-to-point-of-sale-systems/103623.

    • I think this was covered in prior threads. IIRC the encryption would be done on the card reader device, certainly not in a Windows POS. That’s just idiotic.

      While the device would have memory, it’s embedded software and not something that gets “updates’ that could run as services and scan memory.

      I am not knowledgeable in this area though. This is just basic stuff.

      • I know what you’re saying. A card swipe device isn’t very volatile, and I’m not sure the cc# can be grabbed before encryption, or that it has yet. I’ll keep looking around though.

        • Even the dumb terminals can still be swapped for tampered devices that were pre-configured to copy/grab the info.

  21. wow, clueless announcement in the news and retracted. Announcement made by a Texas police dept in arrest of a Chinese man. Don’t know where all levels of confusion arose, but originally claimed he was involved in the Target breach. We know better than that due to Brian’s work. Now retracted, he was just one of the scumbags who bought cards and used them.

    Still is big misleading headlines though. I know this is technical stuff but I think everyone understands what buying a stolen card and using it is. “Involved in Target theft” is not it. My card was stolen when I used it at Target. I’m just as involved as he is, as far as that goes.

    “Customer involved in Target theft”. They’ll get who’s involved in the Target theft when Russia decides their involvement in capitalism doesn’t constitute cybertheft, which is never.

    • Well, he’s slightly more involved than you are, since he not only bought the card(s), he attempted to use them as well (which is probably how he got caught). Having your card stolen isn’t a crime, while purchasing and/or using the stolen card are.

      It would be lax journalism to claim that he’s anything more than your garden variety scumbag trying to get rich quick, no argument there. Given the technically clueless nature of most local police departments, they probably did think he was involved in the breach initially because, well, police departments intentionally don’t hire bright people.

  22. great post brian, short and sharp, puts all the stats in perspective. keep up the good work as always.

  23. I wonder, who finally pays such a fraud. Card holder/banks/retailer?

    • Eduardo wrote: “…Card holder/banks/retailer?”

      In the end all CONSUMERS pay the price.

      Credit card holders who promptly report frauds are generally protected. Debit card holders have some, but generally lesser, protections.

      Banks and card providers incur some expenses, but charge their customers (the merchants) to recover those expenses and make a profit.

      The retailer bears the cost initially as they have provided the goods or services and didn’t get paid, but they too include such losses as a cost of doing business and that cost is recovered in their markups.

      In the end the consumers who actually pay their bills are paying for the cost of crime, albeit in very small amounts with each transaction. Taxpayers pay for the law enforcement resources expended, again, in very small amounts each.

      Only when these expenses are totaled or an event is very large, does it reach the level of public perception. It is better, for providers, for merchants, for consumers, for our nation and other nations to PREVENT charge card fraud on the first place.

  24. Don Turnblade

    There has to be an up from Zero move.

    Who owns the responsibility to protect that data at Target? More successful efforts tend to have a CISO who is directly responsible. Organizing the effort and knowing exactly who gets fired if things do not measurably improve helps. Personal ownership of protecting sensitive information by every one in Target also tends to lead to better improvements.

    Without these, the organizational will to change never jells. Then, the dejavu patterns of failure return.

  25. Don Turnblade

    Why exactly would a bad guy change his plans?
    - If they knew how to steal a quick 40 Million once a year…
    - If they knew the victim organization is too disorganized to fix their gaps…
    - If they knew I could avoid being caught…

    What part of Target’s plans change any of this?

    • DonT – While Target is hardly blameless for their security lapses, the complete “charge card” concept is solidly stuck in the late 20th Century. Remember: Target had been certified PCI compliant in September 2013, a few weeks prior to the breach. There are questions about the certifier, but being compliant with INDUSTRY STANDARDS wasn’t enough. A solution at the provider level will reach to Target, AND ALL OTHER merchants. There is at least one.

      Re Target being PCI compliant
      http://www.startribune.com/business/252963011.html

  26. The only way that retailers and businesses can prevent this from happening in the future is to put in a solution like Blueline Data in. We capture encrypt and tokenize the sensitive data before it enters the corporate infrastructure, any information stolen is irrelevant, benign information, they can’t do anything with the tokenized data. Having sensitive data inside a corporate infrastructure is only going to get more and more dangerous, the threats not only come from external sources but internal ones are just as likely, and often it is not a case of malicious intentions it could be a mistake and then the data is compromised.

    • Kelly wrote: “The only way [ to ] … prevent this from happening in the future is to put in a solution like Blueline Data in. We capture encrypt and tokenize the sensitive data before it enters the corporate infrastructure” ,

      I tried to research Blueline Data (BLD) http://bluelinedata.com/ but it was a copyright 2009, flash-heavy web site that kept trying to load. I gave up after 20 minutes. Is that the right web site?

      In any case I respectfully disagree with your statement, especially the absolute “only”. It sounds like (and I could be wrong) that the process described is for consumer-provided credentials to enter the system to be captured, then encrypted and tokenized.

      a) Is the capture device a new form of terminal? If so, are infrastructure costs as, or more, expensive and the new EMV terminals? In either case, that is a lot of change to make and means that merchants, especially smaller merchants, get another expense.

      b) Are these terminals capable of remote maintenance or remote access? If so, what is to prevent them from being infected with the next generation of RAM-scraper malware to intercept the consumer-provided credentials prior to encryption? “Impossible” simply means it hasn’t been done yet.

      c) How does a physical terminal serve the growing commerce modes of electronic (computer based) and mobile (cell-phone based) commerce? Or, does each consumer now have to have, and perhaps carry, a “device” to use BLD?

      d) Does the token storage facility create a bottleneck, a new cost element to each transaction or any other operational detriment? It certainly ads a fourth party in addition to consumer, merchant and provider. (gateway providers, merchant aggregators and the like are part of one or the other).

      A better solution is one where the consumer __never__ provides their credentials to the merchant, but the merchant still gets paid without involving any more parties. What is never there can’t be compromised.

      A better solution works in all forms of commerce (card-present, e&m, person to person and even paper-based invoice payment) without requiring transactional internet, additional hardware by consumer, merchant or provider, provides material benefits and near-zero costs for all constituencies. There is at least one.

      • My apologies: my eyeballs were recently repaired and I made some typographical errors that SpelChek wouldn’t catch.

        under a)
        expensive and the new EMV terminals?
        should be
        expensive __as__ the new EMV terminals?

        under d)
        It certainly ads a fourth party
        should be
        It certainly __adds__ a fourth party

        Again, sorry about that!

  27. “200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.”

    Not at all to undermine the effect this breach had on Target, but imagine how furious the banks are! They are the ones left paying the bills and reissuing credit cards. Financial security is more than one institution’s responsibility, just like it effects more than one institution in the long run.


Read previous post:
Microsoft Issues Fix for IE Zero-Day, Includes XP Users

Microsoft said that later today it will issue an emergency security update to fix a zer0-day vulnerability that is present...

Close