December 18, 2013

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.

It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

Follow-up reporting on the Target breach:

Cards Stolen in Target Breach Flood Underground Markets

New Clues in the Target Breach

A First Look at the Target Intrusion, Malware

A Closer Look at the Target Malware, Part II

Fire Sale on Cards Stolen in Target Breach

Card Backlog Extends Pain from Target Breach

Target Hackers Broke in Via HVAC Company

Email Attack on Vendor Set Up Breach at Target

Who’s Selling Credit Cards Stolen from Target?

The Target Breach, By the Numbers

Inside Target Corp., Days After 2013 Breach


620 thoughts on “Sources: Target Investigating Data Breach

  1. kspahn

    Does anyone know if the card number of a Target Red Card should be changed that is just withdrawing funds from a checking account? I imagine so huh? Unfortunately I cannot get thru to Target to do this and the only way is via phone…..

    1. A. Nonny Mouse

      It’d be a good idea to get a new card. In the meantime, keep a close eye on your checking account. If necessary, you could close your checking account, and get a new one.

      I would think it’ll be easier to get through to Target by phone in a few days. I was able to use the automated system to request a new Target credit card today, though I had to call a few times before I was able to get a connection.

      1. laura m.

        Why the hell would you want a Target card or ever do biz w/them again?? Lawsuits are now being filed nationwide. If anyone has to do biz w/ Target, pay cash; never trust them again for security same with TJMaxx.

  2. st

    Target is saying that only the customers “In-Store were affected but I made a purchase on December 2, 2013, through Targets ONLINE store, and my debit card was compromised. My Bank has confirmed that my card was compromised after making an ONLINE purchase @ Target. The “unauthorized access” impacted ONLINE customers as well.

    1. Heron

      Your card could’ve been compromised in a different breach, or intercepted online.

      You shouldn’t use a debit card to make online purchases. Use a credit card instead. That way, if fraud occurs, you won’t be out any money (assuming you look closely at your monthly statements).

    2. laura m.

      Target is apparently lying about this (online purchases)!! I just cancelled my bank debitcard to reissue new. Get involved with the class actions going on nationwide; they deserve to pay. Use cash from now on or shop elsewhere. Target cannot ever be trusted with security and neither can TJ Maxx. We need to get chip cards as magnetic strips are dated technology.

    3. brittany

      I think some people are trying to say their accounts were hacked just to TRY and get out of paying their bills or are trying to use a situation to get free money. Banks are one step ahead of that game

      1. Slc

        Maybe some are? I can surely tell you that I shopped at Target right before the holiday weekend and after the holiday weekend and besides my red card other cards were affected with charges to Iceland, Turkey and some other country that starts with a B

      2. Nancy Brown

        Trying to get out of paying our bills?? So you really think a person would go through this hassle to inform the bank that they had fraudulent charges when they really didn’t? You must not have gotten up one day to check your bank account to find that hundreds of dollars were missing. If you did you would not have made that statement.

        1. Slc

          Oh yeah you can add the country of Cyprus to my list of foreign countries!!! Not to mention I haven’t traveled anywhere out of Southern Cali

    4. Slc

      I believe it happened on a much bigger level beyond target that might have been the retail giant that was hit, Target sent me a note yesterday that they are sorry for the matter non chalant REALLY!!!

      But I also think it happened somewhere else other machines and devices too or via online

  3. DQ

    Something interesting –

    I had shopped in Target on Dec 12th and used my Target Red card (credit). I checked the activity yesterday via the 800 number and the 12/12 purchase was there, but thankfully no fraud has occurred yet.

    When I checked today, the 12/12 purchase was not there! I wonder how that happened?

  4. Janet

    Should we change our credit card numbers? My credit card bill is paid for through my checking account. Is this compromised also?

    1. Ruberic

      You can put a free 90 day credit alert on your account, and get credit reports for free at https://www.annualcreditreport.com
      The credit alert means that any new accounts opened require a phone call to you to verify the new credit account. Also they are not supposed to mail you credit card offers.

      Check activity on your accounts by logging in to your cc websites, or calling the providers. Do you know you used a card during the timeframe at Target?

      If you know you did use a card at Target – or there is unexplained activity on your card, then have the card company issue a new card. Go through your statements to update any recurring payments that might get fouled up. (Also helps to check Paypal and Amazon cards on file.)

      Bogus credit card charges will be covered by the card companies, if you notify them in time. (I am not sure what protection you get on debit cards with a Visa insignia.)

      1. Ruberic

        Oh, regarding the bank account. No its not compromised, but it could definitely be affected if you’re not paying attention. I don’t like autopay for that reason.

      2. Laurie

        Bogus credit card charges are NOT covered by the card companies, the cost is put upon businesses that these cards are being used at, including small mom and pop shops like ours. The banks give us charge backs and we lose the merchandise as well. The banks bear non of the cost.

        1. Rick

          This statement is not correct. All fraud loss in a face-2-face sale using counterfeit cards is a loss taken by the bank that issued the card.

          If a card is stolen and it is used for a non-face-2-face (CNP) transaction the loss falls on the retailer. In this case, The full mag stripe data (track 1 & 2) was stolen. The fraud asters in most case would need the Security code on the back of the card for Internet sales, which was not stolen.

          So 100% of the losses for fraud are born by the banks, which currently in the U.S. Is several Billions of dollars annually.

          If the merchants had the risk we would see more asking to see valid IDs at the point of purchase and fraud stoers would not be purchases tens of thousands of Gift Cards at self service counters. I personally have cloned my debit card onto a hotel key and used it at every major retailer with no problems.

          If the merchants placed more emphasis on if the card was actually owned by holder, especially for Gift Card sales we would see fraud losses drop dramatically, but because they have “zero” liability fraud stoers can and do shop with complete impunity.

          1. rick

            Sorry for the spelling. Not a fan of “spell check” on my ipad. 🙂

          2. Glenn

            Rick

            I wish you were right about the face to face transactions being ate by the issuing bank but that is not true. I operate many retail brick and mortar locations and we are plagued with card backs from stolen or fraudulent cards. In almost all cases the retailer eats the fraud.

      3. Fred Hefflefinger

        This hacking is going to expand rapidly. My account was hacked, a chase mastercard and I did not make a Target transaction in the so-called time frame they are claiming. My transaction was November 8. (cleared Nov 10).

        1. Amanda

          I also shopped at Target on 11/08 … now what? its not in the time frame they released?!

  5. KS

    I’m currently on hold with Target now…..a little over 2 hours. My question is…..I signed up for the RedCard credit card during that time frame and in doing so……you enter all your information to qualify for the card on the screen of their “swiping” machine…including social security number and birth date. Is all info entered into the machine compromised as well…..or just the cards that were actually swiped through that machine?

    1. Moses Hernandez

      Its very difficult to say weather your identity information could have been compromised during that time period or not based solely on the media reports. What I would suggest you doing if you are concerned about it, is performing a credit freeze to your credit accounts. The process is pretty straight forward and depending on your state would be something you would pay for, something like 1 – 15 dollars per credit account. The way a credit freeze works is, you freeze your credit with each bureau and when you are ready to need to apply for a new account you need to ‘thaw’ it a few days prior to requesting the credit. It can be a pain, but it also prevents people opening accounts in your name and applying for new credit. I would love to hear weather the pin machines which held your information where part of this compromise so that advice would be much more clearer to individuals.

  6. Tom P

    With nearly every store involved, this has to be a Target inside job. Hearing that TSS India handles Target’s credit processing leads me to suspect they are the source of this breach. It will be one or a few corrupt employees that did this.

  7. Mike M

    While this may be coincidence, the last time I shopped at target was on November 25th, and my card was just compromised (luckily my bank caught it.) I wouldn’t be surprised, and it might be worth for Brian to take a look, at whether the breach in fact started earlier than they’ve admitted so far.

    1. CJD

      I expect the window to get bigger. Unless they have identified the source of the breech, the only way to identify the when, is by the cards compromised, and there’s just no way to know until all those cards are in the open.

  8. Jurie

    I used my credit card from South Africa and we have a ‘chip’ on the card..will that affect the ability to clone or copy the card for use?

    1. Ruberic

      You have a card with a chip, which is great. But from what I understand Target’s POS systems are not designed to interface with the chip in your card. It sounds like the Magnetic strip data on your card could have been compromised. But you would have to ask your issuing bank whether that poses a risk to your account.

      I would check because here in the states there is a greater emphasis on using software to check transactions for validity. Your banks may not place such an emphasis on verification where the rate of fraud is lower. Also, your rights as a card holder will be dependent on local regulation. It’s worth Skyping your bank…

      1. CJD

        Since very few places in the US support chip on card (target does not) then yes your card is at risk. The mag strip is kept on the card for backwards compatibility for use in places where you can’t “dip” your card such as your use in the US at target. IMO it is worth canceling the card to be safe.y card was used I’m the window of compromise and despite not seeing and fraud yet I am canceling my card on Monday. The trouble to cancel and get a new card is far less than the hassle of dealing with fraudulent charges, especially if its a visa / MC bank card. While your protection is the same as if its a credit card, that hassle becomes a bigger impact when you’re dealing with disputing charges that have taken money out of your bank account vs just charges that are billed to a credit account that hasn’t taken actual funds away. Either way the charges will be reversed but banks are much slower to replace funds than take money out of your account!! It’s just extra hassle if you’re hit with fraudulent charges when it can take a week or more to get that money back in your account.

        I HIGHLY recommend every person that shipped in that window of time preemptively cancel their cards before fraud hits. It could be months before your card number is sold and reused fraudulently.

  9. TwoPence

    I just happened upon this site after a Google search into the “Target breach” since I have spent all morning on the phone to no avail. I just checked my debit card statement – I have not been in a Target since 11/10/13, and my card info was used on 12/19 for 11 fraudulent transactions. I see where other people state they’ve had issues outside of the 11/27-12/15 window – how can Target not know which dates’ swipes were breached and claim to have “solved the problem”? I know others keep saying “you don’t know when your information was taken” and “you don’t know that this was the same group” to those outside of the press release timeframe, but I’m not huge on coincidences – regardless of where else we shopped and when, we all shopped at Target, whether or not it was post-Black Friday.

    1. CashOnly

      You are lucky. The breach prevented you from going into credit card debt more. #goodexcuse

      1. TwoPence

        It was a debit card, actually. I’m fairly good at managing money as long as I don’t go pick up toilet paper and body wash and find out six weeks later that it cost me an extra $600… Thanks for the well thought out advice, there.

    2. Nancy Brown

      I have keet all of my cards in a RFID container in my purse for the last 3 years. It was 3 years ago when someone used my card to purchase a $700 plane ticket. Since I have had my cards in the RFID container I have had NO fraudulent transactions on my card. Then Dec 23 I went into Target and used my card. On Dec 24th someone used my card fraudulently at ToysRUs for $368. Coincidence? Well this is outside the Dec 15th supposed end date of the Target breach. I have spoken to many people on Twitter who reported going to Target Nov 10th and other dates before the Nov 27th reported breach start date and then they had fraudulent charges on their card. So, has Target been honest with the public about the containment of this breach? Is it ongoing? Did they not want to say the breach is still active so they won’t lose Christmas profits? I need these questions answered. I want Target to be honest with Americans and if they are found to be lying and allowing the public to use their credit cards knowing they have not contained the breach, they MUST be held accountable. I called the FBI today to advise them of my experience, that I had not used my card at Target for MONTHS, then used it on Dec 23rd and then fraudulent charges appeared on my card Dec 24th. A woman FBI agent told me that the hackers may still be at work. Well, if my fraudulent transaction was caused by Target, then their breach is ongoing and not contained. Who pays for the fraudulent charges? The banks. Who pays for the credit monitoring? Target. So what has Target got to lose when allowing a breach to continue through Christmas? This is outrageous! I felt safe to use my credit card there on Dec 23rd, but having a fiance in college seeking a cyber security degree, and learning the material with him, I should have known not to use my card at Target. What an idiot I am.

  10. Angela

    My husbands card was flagged as compromised yesterday (Dec 20) after swiping it at Target. They also cancelled mine . Always nice to be at the fuel pump and see card declined and have no access to funds until Monday. Couldn’t finish last minute Christmas shopping… Thanks Target.

  11. JerBear

    I think Target got what it deserved. For years the majority of fraudsters I have seen were making purchases with gift cards from Target. As far as I know Target doesn’t care if their stores are being used as conduits of criminal activity as long as it doesn’t take a loss. And this is true of most retailers and banks; they just don’t care. The retailers aren’t taking the loss, and the banks just absorb the losses. Then frauders turn around and flood urban communities with drugs and guns from the profits they make from using counterfeit credit cards to buy gift card, then return or selling the merchandise.

      1. Nancy Brown

        I used mine on Dec 23rd and it was fraudulently used on Dec 24th. I had not used it at Target for months. I have spoken to others on Twitter who have stated they went to Target before and after the reported breach dates of Nov 27 – Dec 15 and their card was fraudulently used. We MUST get the word out NOT to use your card at Target. My prediction is that we will find this is bigger than we thought.

  12. vanilla gorilla

    I would be interested to know how the breach took place. It was being initially reported as a skimming attack, but I can’t believe every Target stores credit card machines could have a skimmer attached unless it was some kind of zero day backdoor or secret chip install. That would probably imply a State sponsored attack and leave significant traceable evidence. I am assuming it is more that the conduit between Target and its merchant provider was hacked or that there was a systematic breach on the local stores. For instance, if store routers were setup with some sort of systematic password scheme that was found out by attackers they could be sitting on Target’s networks. However, I doubt we will every be told the truth about the details of the attack.

    1. CJD

      Its not a skimming attack. I think in many cases the term skimming has come to mean any theft of card data at time of use, regardless of if its a hardware skimmer or not.

      I doubt it is a store router compromise, its very unlikely that the card data went over unencrypted channels at the store router, and unlikely that the entire track data was transmitted. It would be a huge waste of bandwidth to be transmitting full track data to the bank, its not required.

      To have compromised every store, its likely to have been a POS compromise, either an exploit in Windows allowing a trojan, an exploit in the POS software, trojan firmware in the verifone PIN devices, or an OS / POS compromise at the POS server in each store….IMO the least likely (even tho itd be the most efficient) would be if the firewall / router(s) on the link(s) to their acquirer / bank were compromised.

      What will be most interesting, IMO, is to find out A) how they got inside the network (inside job or did they break in from the outside), and B) how they managed to distribute the hack to EVERY store undetected. Even if it was a Windows exploit allowing a trojan to be placed on each POS terminal, that kind of traffic /normally/ would show up….it would in our environment, unless they were able to get in and slowly distribute the trojan over a period of days.

      IMO State sponsored is highly unlikely. China is about the only one that would have a stake in such state sponsored attacks against a retailer, and those attacks are kept under very tight wraps, and dont involved CC data theft, they involved other data theft such as pricing, margins, suppliers, etc – data that could give a Chinese based company an advantage when working with a US retailer. For it to be a state sponsored financial attack, you would expect to see multiple large retailers hit all at once, and in a way that would disrupt commerce or banking in the US, destabilizing the financial sector in some way, or shaking consumer confidence.

      Dont underestimate the size, power, and ability of some of the Eastern Bloc countries such as Russia and former Soviet nations. While there may be better skilled groups in China and other Asian nations, the russian / baltic groups are generally the ones that are carrying out these attacks for financial gains, while the asian groups are generally doing it for state reasons, or other gains / disruptions.

      There has long been information out there that the Russian authorities have told the mob and cyber criminals that they will look the other way in these cases, provided that they never attack any interests that are based in Russia, and that they dont attack Russian consumers…..

      Also, considering the cards have shown up by sellers with russian cyber crime / mob ties, lends to this being a Russian organized crime attack of some sorts…

      1. Jason

        Here is my theory on the attack vector used in this breach……

        The idea for this attack vector struck me one day while shopping at a target. I went to the checkout and was asked for ID. I showed it to the cashier but was asked to remove it. As it was completely visible in my wallet window, I had to ask why. She stated that they have to scan the ID to bypass the age restriction lock. Paranoid about my data, I asked what would happen if I said no. She stated that she would have to get a manager to override. I opted for the manager override. Shortly thereafter, I began to research what data is actually stored on the back of the cards. Surprisingly, it seems that name, address, DOB, height, eye color, hair color as well as you drivers license number is encoded in that bar. I’m glad I didn’t let her scan it. I found out that the format used is called PDF417. I found a barcode scanner that could read this format and took a look at my ID. Sure enough, all of my data was there in plaintext. The security gears in my head began spinning. If this text is stored by Target, I would have to assume that’s its put in a SQL database. Knowing how sloppy some applications can be, especially when it is assumed that no one could possibly attack it, would it be possible to perform SQL command injection through this by creating your own barcode and affixing it to the back of your drivers license? There are a number of free PDF417 code generators online. Based on the assumption that there must be some sort of connectivity between the reader and the register, as the register has to pass the price, I believe that this may have been the attack vector used. Especially considering that there must be some level of security at the stores network borders.

        I’d be interested in hearing what the community thinks about this and if it would even be plausible.

        1. JCitizen

          HOLY CR@P Jason! I always wondered what was on that strip on a license! Thanks for posting!!

          1. Jason

            No problem. Wondering if you think this might be plausible? I’m very intersted in the amount of trust placed on the integrity of the data embedded in ID’s in all their forms. This could be an overlooked attack vector in many different circumstances.

  13. Jurie

    Thanks Ruberic and CJD on the response to the chip on the South African cards. It appears Amex blocked my card (without letting me know, but that is okay, rather that than having it used fraudulently). It does leave one up the creek though being abroad and having a card cancelled.

    We have those chips because there is such a large amount of credit card fraud committed by the Nigerians, so maybe they also have a finger in this pie.

  14. minecraft

    When someone writes an post he/she retains the plan of a
    user in his/her brain that how a user can understand it.

    Thus that’s why this article is outstdanding.

    Thanks!

  15. Betsy

    My debit/credit card was compromised and the bank cancelled my card. They assured me I could still write checks off my account until my new card comes in the mail. Well, the day before Christmas I wrote a check and the retailer said that telecheck denied it. I have never written a bad check and she I called my bank they said there was no reason for telecheck to deny it. Has anyone else been experiencing this? The retailer said they had this happen to four other people that same day who had been hit by the target scam.

  16. Mike B

    Anyone who has been a victim or knows someone who was a victim of the Target card scam, please visit this website: targetcardclassaction.com. At the site, you will be asked to provide important information that will be forwarded to a class action attorney. Thanks.

    1. X

      Setting up a phish net? I apologize if your website it legit, but a gmail address for people to send questions to? What law firm is behind this website?

    2. Wray

      This request smells so bad that no one should enter info here. No reference to a class action attorney that can be validated and requesting info that could be sold to buyers of the card numbers allowing them to forge accompanying identification info. If the date of purchase and amount was stolen for instance, it could be tied to the stolen card number.

      Sorry Mike Berkowitz of Huntington Valley, PA (assuming that’s your real name), but if your intentions were honorable, you offended my intelligence by your completely idiotic post. What guarantee would someone have that you could protect data if Target can’t?

      1. Slc

        I would not put any info on that page period I did some research on the actual matter and it belonged to an ip address with multiple weird names too it

  17. Nancy

    How about the people that applied for a Credit card at Target during that time?
    Was that information hacked too?

  18. Nancy Brown

    I believe the breach began before Nov 27th and may still be ongoing. I used my card on Dec 23rd at Target for the first time in months and then on Dec 24th someone used the card at ToysRUs for $368. I called the FBI to tell them that maybe the breach may still be ongoing and not contained.

    1. Sally Crystal

      I believe it did too we are just learning about it now, not to mention that Target is speaking out the sides of their necks, first how can they assure us everything is okay when I spent a good part of today reaching out to my credit card companies and requesting new cards due to 6 of them had charges from Iceland and Turkey on them!

  19. Kell490

    This smells like a wireless network hack. Anyone running anything other then a Radius server for security on there wireless network is asking for trouble. WEP,WPA1-2 have all been hacked most of the tools can be had on the internet for free. Lot of legacy equipment only works with WEP or WPA these corporations lazy IT departments don’t bother closing the security risk with the wireless networks.

    1. CJD

      Unlikely. Transmitting cardholder data over Wireless networks unencrypted is a pretty big no-no. I would be surprised to find out Target used wireless for their POS registers, especially considering the VeriFones aren’t wireless and at least at my local Target, the VeriFones are using Ethernet, which if you are going to run Ethernet to the lane for the PIN devices, it would make no sense to not run it for the register too. There is almost NO benefit for a retailer to use wireless for the registers, when you look at the cost to remain PCI compliant whilst doing so.

      You would also have had to compromise 1800 wireless networks (1 per store) and you would have to be sniffing traffic in 1800 places, which means you would need a physical machine in each store, or a compromised machine, that was connected to the same wireless network as the registers, to be capturing data. The only other way would be if the wireless controllers had packet capture abilities similar to the Cisco ASA firewalls, but then you would have had to compromise all 1800 controllers – even if Target used a guessable password / network key, the effort to setup something at 1800 locations to snag the cardholder data during the transaction, isnt very plausible.

      Implementing lazy wi-fi is one thing, but implementing it within the cardholder data environment is a completely different thing. To be PCI compliant (We would have heard by now if Target wasnt) you cant just have a flat network where credit transactions flow through the same channels as all other network data, and to think as someone else posted, that Targets lax security on their guest wireless would allow access to their cardholder network, is just insane – they would have been hacked long ago if this was the case.

      This is a FAR more sophisticated hack than something simple like bad wifi encryption / security.

      1. Jason

        CJD…. did you happen to read my theory above? I am trying to find out if anyone thinks this would be possible as it would be a direct attack on the POS system itself and probably lead to critical data associated with the POS infrastructure.

        1. CJD

          While a SQL attack is certainly a viable vector, I tend to lean against it in this case, for a number of reasons. Target would be foolish to not disclose if other data was stolen, so that leads me to believe its isolated to the credit card data. I don’t know that their pos stores your DL data (it may) but most systems read that dob for an age restricted purchase, and just flag the transaction as a pass (used for auditing a cashier or proof that id was provided if audited by the state.). Also, I’ve been on the forums where the data is for sale, and there has been no mention of “fulls” (entire identity data) for sale.

          I tend to think either the readers were compromised (for credit data only), the pos software or os, or the payment network. Target has a similar architecture to my company, and that’s what makes sense (to me) knowing how transactions work.

          The main thing that leads me away from the thought of a DB attack is twofold: if they’re storing the data that was compromised (full track data) then I have a hard time believing they would only store a few weeks at a time of transaction data – I would expect even more data to have been compromised. Secondly, there is no way they would have been PCI compliant, even if they were storing data encrypted, because its a huge violation to store entire track data, and there’s no value in storing it. Given the number of transactions they do, storing that additional data would not only be a huge violation, but also would be a huge cost in space for no value to them. Essentially pci prohibits storing enough card data from a transaction to be able to use it in a compromise. Since the full track data was taken, that just leads me to think it wasnt a db attack, even if it was a live per transaction attack (vs compromising already stored data) because if they weren’t storing the track data, it wouldn’t make sense applicationwise for the full track data to be visible to the SQL process.

          In our environment, the card data is written to disk in an encrypted transaction file while its sent to the bank. As soon as the bank responds, that file is overwritten and the card data is gone. Our bank responds with a unique tokenized version of just the card number (no other track data), and that is what we store in transaction logs (in the db) for settlement at end of day, and for returns / reversal of charges. Should we reverse a charge, we send the tokenized number back to the bank where they correlate that back to the card number – we have no way to turn that back into card data. I would suspect target does the same, and data isn’t written to the DB until after the transaction is complete and the card data is gone.

          I also suspect that the payment network is the least likely of the 3 ways I’ve listed, not only because its the hardest to get to, but because it would be very inefficient to send the full track data to the bank during authorization, as its not all needed. The pos itself seems to be the consensus method, although I still think the pun devices are just as likely because they can all be updated from one server…meaning hack one server and push a rouge pin device firmware from one place.

          Time will tell. If you want to discuss more detail via email I’d be glad to toss around ideas and provide more detail than I can here about cc transactions. You can email me at: fd2508b5 (a t) opayq [ d o t ] c o m

          1. Jason

            I agree that a DB full of card data is unlikely. My thought on this as an attack vector was mainly as the beginning stage in a multi-part attack. Assuming the application to check age (and best guess, store user data from ID for later research) is hosted on the POS, then would it not be feasible to have the POS system connect out using SQL commands? Once you have a single POS connect out with a command shell, then you could begin to investigate the way things are configured. Update server IP’s, backend OS etc….. Assuming this is an attacker who has some strong abilities, would it not then be possible to craft a MITM program for the platform that exfil’s the card data on the fly? Im guessing that this data was not pushed out in one lump transaction, but sort of hid in the immense amount of data that would be normal during a busy shopping season.

  20. Simpson

    I have a question and appreciate anyone’s input. I have a RedCard Debit card and did shop at Target during the affected time frame. On Jan 1, I noticed someone shopped at several stores like Gap, several online stores to the tune of almost $1,400. I immediately called my bank to block my debit card and request a new one. My question might be silly – but is this related to the Target security breach? Or was my bank details compromised somewhere else? Can people only buy things from Target using our stolen data or elsewhere? Thanks

    1. Jason

      It is my understanding that the target red card debit card can only by used at Target stores. That being said, if the data associated with the card (ie. your bank account number, your real debit card number, etc…) are associated with the Target card in a database that was hacked, then creating a new debit card is trivial. I dont know what info is given when signing up for the red card, but if key details are given, then it could be related. No one in the public really knows what all was stolen in this breach or even how it was stolen.

      1. Slc

        It happened to me with other cards also I used my red card and other credit cards on various trips prior to the time and after the time frame check everything period…I to have a merchant account that is PCI compliance it was a mandatory move about 9 months ago not sure about some of the blurbage on the post way beyond my mind

  21. Leonard A.

    I’ve had purchases at target using my debit card around november and december as well. And i checked my statement recently and i noticed there was 3 unauthorized charges from Ohio, date 12/18. I called them but they had no idea what i was talking about.. ._.

  22. pam

    I was also a victim on the breach list. I think my account was just hacked today. I looked at my account and a transaction called “Check” with a description of “1 Day” was posted to my account today for almost $1000!!

    The best part is that the transaction posted during a super bad snow storm and half of our city is shut down in Michigan so I cannot even call my bank because all branches are closed due to the weather! My bank, Lake Trust, actually alerted all of it’s customers that were breached and took the liberty of issuing us all new debit cards..nice…but too late 🙁

    It’s awful not being able to get a hold of the bank today!!!

    1. voksalna

      pam – Is this on a current/checking account? It sounds like maybe a neighbourhood thief ordering checks after having gotten your banking information via perhaps hacked PC and picking them up when you are not home out of your mail box scam. It probably is not related to Target and may be connected to a larger ID theft problem. Check your credit reports.

  23. c

    I used my non target cc on jan.7 at target. Did not use it again and within a few hours my account was breached and all my money gone. Since it is a prepaid walmart visa they wont credit me back until all transactions post and my cc disputes all the out of state charges.

Comments are closed.