January 10, 2014

Nationwide retail giant Target today disclosed that a data breach discovered last month exposed the names, mailing addresses, phone number and email addresses for up to 70 million individuals.

The disclosure comes roughly three weeks after the company acknowledged that hackers had broken in late last year and stolen approximately 40 million customer debit and credit card records.

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said in a statement released Friday morning.  “This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.”

Target said much of the data is partial in nature, but that in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams. The retail giant was quick to note that its email communications would not ask customers to provide any personal information as part of that communication.

Target Chairman Gregg Steinhafel apologized for any inconvenience that the breach may have caused customers, and said he wanted customers to know that “understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Nevertheless, the company still has not disclosed any details about how the attackers broke in. This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks, according to numerous interviews conducted by this reporter over the past few weeks.

This latest disclosure also raises questions about what other types of information may have been jeopardized in this data breach. As part of its statement, Target said it would be offering a year’s worth of free credit monitoring services to those affected. Target does collect Social Security numbers from customers who apply for Target Red Cards, which offer applicants 5 percent cash back if they agree to tie their debit accounts to the Red Card. So far, however, Target has not said anything about compromised Social Security numbers.

Reading between the lines, one might wonder why Target is providing credit monitoring services to those hit by what is essentially a credit card breach. Many people conflate credit card fraud with identity theft, but these are two very different problems. The former is quite easy for the consumer to resolve, and he or she has very little (if any) liability for fraud. Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer’s name, which can take many years and cost thousands of dollars to resolve.

The reason Target is offering ID theft protection as a result of this breach probably has more to do with the fact that this step has become part of the playbook for companies which suffer a data breach. Since most consumers confuse credit card fraud with ID theft, many will interpret that to mean that the breached entity is somehow addressing the problem, whereas experts tell me that this offer mainly serves as a kind of “first response” to help the breached entity weather initial public outrage over an intrusion.

Update, 1:07 p.m. ET: Added additional perspective on this announcement.


190 thoughts on “Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen

  1. IA Eng

    Looks like the Gift Registry and any sort of online opt ins for specials may have been lifted as well the CC data.

    Thats a lot of records, like a quarter of what lives in the USA.

    Crazy.

    =\

  2. bks

    Is the CIO still in hiding? I guess when you make $10,000,000 per year you can get away with gross incompetence. Meanwhile the $7 per hour clerks are getting fired for being five minutes late.
    –bks

    1. saucymugwump

      I’m not a finance guy so I do not know where to look for the CIO’s salary. That said, Target must file certain data with the SEC. The CEO earned $20 million or more each year for the past three years. The vice presidents and CFO earned anywhere from $4.6 million to $8.6 million per year for the same time period.

      Look for “Summary Compensation Table” in the below URL:
      http://www.sec.gov/Archives/edgar/data/27419/000104746913005084/a2213340zdef14a.htm#dg44701_executive_compensation

    2. Andy

      The only value provided by an unskilled cashier is their ability to show up, ontime, for work. Five minutes or five hours late and they’re no longer of value. Here’s a protip for you, since it’s that easy. Be a CIO instead of a cashier.

      1. Francis, the talking mule

        “The only value provided by an unskilled cashier is their ability to show up”

        On the contrary, they look for shoplifters and can assist in case a customer has a medical emergency.

        This CIO, on the other hand, trashed millions of dollars of Target’s value in terms of its damaged reputation (i.e. future sales) and lawsuits.

        Your teabag is calling you.

        1. voksalna

          Here is an idea (especially in light of recent pushing for higher minimum wages (which I agree with there — wow are things expensive)): Why aren’t retail establishments splitting a gross commission per store with each employee on a weekly basis. Busier stores and better sales people in a store, but not just the salespeople, get a bonus per week based on sales, not ONLY an hourly wage (and not based on individual sales). Profit-sharing on a micro/store level. Does any C-Level employee *earn* 10mm USD?!

          1. voksalna

            (Note this would also cut down employee theft and fraud quite a bit if loss were calculated in).

            1. JCitizen

              Well we’d all like to spread the wealth around, but I am very uncomfortable with the concept. Are we to covet what our neighbor has? I was a poor credit card slave for many years, but I would have easily got out from under this bond, by simply getting medical treatment for my sleep apnea. I could not think my way out of a piss soaked paper bag! If you see your poor neighbor, lend them advice on what to do to get out of debt and poverty. Do not lend a judgmental hand in this!

              As soon as I got the treatment, my mind cleared and my old common sense came back. I am now doing well, but I have to say – I was a happy sot back then! I miss the people I had camaraderie with in those days! Everyone had cable TV, air conditioning, and at least one cell phone or “lifeline” land line phone!

              I met nary a person who was unhappy, although a bunch of us were sick and didn’t even know it! We were all as poor as church mice!

              I feel much of what is wrong with the disparity in wages and such will be fixed when the government gets out of the way of us innovators and entrepreneurs. I’ve had a dozen good ideas about starting a business, only to be blocked with overt regulation! This is the problem world wide, not just the US. In fact is is shameful that we are in the boat with the rest of the world when we ignorantly profess to be the greatest country for innovation!

              HA! I have a few clients who have been eaten alive by industrial espionage teams that keep the innovative in the gutter and out of touch with enterprise and the success they deserve! Intellectual property rights are but a dream now days!

              If you want to change the world – end this hypocrisy, and help the innovative. We would have many more Bill Gates and his foundation to call for. The American history calls on us many times for this. The list goes on and on and keeps giving, because it continues to make money more and more, and give more and more.

              Bill and Melinda Gates Foundation
              Warren Buffett
              Atlantic Philanthropies
              Azim Premji
              Ted Turner to the United Nations
              ROCKEFELLER FOUNDATION
              T. Boone Pickens – who is still influencing alternate energy too!
              Walter Annenberg Project
              Andrew Carnegie Foundation
              Reader’s Digest fortune
              Michael Jackson charities
              Global Village Champions
              Raymond and Ruth Perelman University of School of Medicine
              Joan Kroc National Public Radio
              Phil and Penny Knight (co-founder of Nike) to Oregon Health and Science University
              Mark_Zuckerberg to Mayor Cory Booker for the Newark, New Jersey public schools.
              Henry and Betty Rowan to Glassboro State College
              Charles T. Hinde Southern California charities

              I could go on and on, and we can all benefit.

              1. voksalna

                So instead of increasing a person’s ability to be self-sufficient and pay for their own care and living via fair practices and shared profits (instead of top-heavy income and every body else just barely getting by), you advocate a return to (an updated form of) feudalism? I’m confused.

  3. Solar-Powered-Sea-Slug

    Wow. Good thing we immediately canceled the cards we used the day Brian first made his announcement…

    Thanks Brian!

    1. Jonas Turner

      Yeah, I did the same thing as well. I figured there was no cost to me to cancel my card and to get a new one…why not do so? I actually benefit from it since I get a new card and anything in the past I used from it is no longer a threat against me.

      1. Security Guy

        The “cost” of cancelling one’s credit cards is normally calculated in inconvenience. This is especially the case when it’s mid-late December and many people are using their credit card more than usual.

        1. Serena

          I use my credit card for several auto-pay accounts. My old cc# was used fraudlently in early 2013, I got a new # but had to update all of the auto-pay accounts. It was a pain. I see what I should do now is segregate my cards, use one only for auto-pays and use others for store purchases and not mix the two.

    2. Allan Miller

      As mentioned in the article, you still need to be more vigilant than usual about ID theft. Your real loss was not the credit cards, it was the information attached to them.

  4. ValidSoft

    This article sheds a different and interesting light on the methods now being deployed by the fraudsters. Basically these latest tactics are designed specifically to outwit the Risk Engines. Risk Engines work on the principle that if a transaction seems “normal” the risk engine will generally approve the transaction. Of course there are other checks that the risk engine will perform, but transactions that “appear” to originate from the locality of the normal use of the card will not generally appear unusual to the risk engine and the probability that the transaction will be approved is considerably improved.

    So, the Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn. Who says that crime does not pay? The cost to the industry is substantially more and it is estimated that the absolute cost of fraud (the $value) is only 30% of the total cost to the industry. So, now we are looking at between $27bn and $134bn for the Target breach. Ok, they won’t be 100% successful, but even if the only achieve 20% success we can expect the industry to wear costs between $5billion and $27bn. A staggering $impact for a single data breach! No wonder that we hear that Class Actions are being prepared and knives being sharpened. The outlook for Target, an unfortunate company name to say the least, is bleak!

    So, the fraudsters decision to add location data is a clever extension to the old skimming techniques (which of course will continue). The current implementation is simplistic but already proving to be successful and as we have seen, the fraud community is quick to exploit opportunity. We should therefore expect that as their methods evolve, they will become more sophisticated. The tools to achieve this are already out there in various forms, and the ability of the fraud community to mobilise such resources is without question.

    Industry analysts seem surprised by the evolution of payment card data + location data, but we predicted this progression some time ago, and it is of course a logical progression to current skimming techniques. The solution to this type of attack requires real-time, reliable (ie trusted), granular location data, where the information to validate a transaction within the Authorisation Step is immediately available, invisible to the consumer, and totally privacy sensitive. Such counter technology is already available in the market today. Mind sets need to change. If your defence security mechanisms are based solely on keeping the bad guys out, then you have already lost the battle, and possibly the war!

    1. Rabid Howler Monkey

      Location data, specifically the card holder’s zip code and phone number, along with the card details can be used to get financial information such as the card limit and available balance. And, perhaps, recent transactions made by the card holder as well.

      It would seem that this additional information would be of great value to miscreants that purchase and use the stolen credit cards.

    2. voksalna

      Calculated potential loss is NEVER the same as gross or actual loss. NEVER. The actual financial losses from this given the discovery timeline, provided it is handled properly, will be in the millions, maybe tens of millions; the likelihood of even reaching 100 million is ridiculously miniscule. And the people who took the data will not get nearly as much due to economics/supply & demand and fact that there is no ATM capabilities (yet; I have mentioned the chances of the PINs being cracked are very small, and even if they were, that would take time; they have already been discovered; for the actual thiefs the money was in the card sales not the card use).

      The main ‘losses’ here will involve costs related to having to replace the cards (by banks, including manpower and materials and postage and things like LifeLock), and those are the figures that will be used, as well as the cost for Target to do audits and updates (things which should have been done in the first place if they were not already).

  5. Ian P.

    I looked back and found that I did make a purchase at Target during that time period, using my debit card. My bank already contacted me and said they have “been made aware of a breach” and have put a new debit card in the mail. I’m not sure what triggered this however. Is Target contacting banks? Are banks searching their database for Target transactions? Hmmm…

    1. Fin ISO

      Ian, as a banker we ran a query on card authorization history for any target transcations between the compromised dates. If a customers card was on that list it was instantly restricted, a letter was mailed, and a new card was put on order.

      1. KathyB

        The bank where I’m the ISO did the same thing Fin ISO did…ran the query, those that used their cards during the breach period were notified and a replacement card sent. IMO any bank that doesn’t do this is foolish.

        The credit union where I bank did the same thing. I used my card at Target in early-December & was notified the card will be replaced. I have been monitoring my account daily and will continue doing so until I receive the new card.

        I have not patronized Target since the breach and was amazed on Saturday when driving by that the parking lot was pretty full of shoppers.

    2. Jacob B

      Banks are indeed searching their databases for transactions at Target during the date range; in addition, many card processors have sent out lists to their banks of compromised cards.

    3. Andrea

      Banks also get lists of compromised cards from their processors on compromises, which is most likely done by Target’s processor.

  6. LGT

    So, another database was hacked, pehaps for online customers? Or do credit and debit cards provide addresses, phone numbers and other information on the back of the card? Seems unlikely that they do.

    How did the hackers get this personal info if it is not part of the card swipe?

    1. Chris Novak

      Target has other databases including mailing lists, gift registries, AND it’s own ‘Red card’ program.

  7. PR

    Target is now offering 1 year of free credit monitoring, identity theft protection to all guests after breach

  8. saucymugwump

    Target outsourced most of its IT employees to India many years ago (go to Target’s jobs website and using the “Search management & corporate careers” field search for “software architect” and note how many jobs are located in Karnataka, Bangalore, India). The data loss is not altogether surprising given that Target’s software and systems are shared across the entire Internet.

    I also want to echo bks’ comment about corporate malfeasance. If I were a major shareholder I would be downright angry that Target allowed this data loss which will lead to millions of dollars of lost sales due to lost customer confidence. Of course, our illustrious Congress has neglected to pass laws allowing shareholders to take control of such a situation and dismiss incompetent management.

    1. meh

      Of course they won’t prevent it, half of them get bribed aka paid by lobbyists to not pass anything in the interests of the public.

    2. voksalna

      Funny thing: Despite what one might have assumed would happen, Target’s stock prices went UP not DOWN after the breach was reported on. So I am not sure I agree with this. I agree it is how it should be though, and that it not being this way says a lot.

    3. Serena

      Is Target’s IT security team and are their computers in India? Just because they have software development going on in India doesn’t mean that their entire IT is in India. I’m curious, I don’t know the answer to my questions.

  9. meh

    The chairman’s statement reminds me of the South Park where the CEO of BP Oil is sprawled out naked in front of a fire giving ‘heartfelt apologies’.. So sorry… People out billions, environment destroyed for years but he’s sorry. Good job.

    1. Andy

      “environment destroyed for years”

      Amazing how that oil never washed up on shore. More amazing was that all the leaked oil still would not have filled the rather small Central Park reservoir.

      1. Panix

        If you think the oil never washed up, you’re sorely mistaken. My parents’ visited their condo at Gulf Shores, AL after the oil spill and said it was everywhere on the beaches.

        I went to the condo over the summer with my new girlfriend and it was all cleaned up now and has been for a while but still, it DID happen and wasn’t some media hype.

      2. Francis, the talking mule

        The Deepwater Horizon oil spill was the largest accidental marine oil spill in the history of the petroleum industry, spilling 4.9 million barrels of oil into the Gulf. The Exxon Valdez oil spill, by comparison, only (!) spilled 260,000 to 750,000 barrels, depending upon whose estimate you believe, into Prince William Sound. But you probably think the oil in Prince William Sound was someone’s imagination.

        Here are just two galleries of photos of the BP oil spill:
        http://www.huffingtonpost.com/2010/04/30/louisiana-oil-spill-2010_n_558287.html
        http://www.theguardian.com/environment/gallery/2013/dec/09/spill-daniel-beltra-in-pictures

        Now that we have confirmed that you are an imbecile, why don’t you go away permanently?

        1. voksalna

          People have such short memories. Out of sight is out of mind for most people. It does not impact me? Oh then I guess it didn’t matter or wasn’t really as real as not getting the correct change for their latte from a Starbucks.

  10. bks

    Maybe when they outsourced their IT to India they also outsourced their thinking? This is no longer about malware at the checkout, this is about corporate malfeasance.
    –bks

    1. Bruce Hobbs

      Give the hackers some credit! Which would you rather be: a corporate security wonk spending all day in a boring environment wishing you were on the beach OR trying to solve the puzzle of corporate security with a multi-million dollar payout if you are successful? Have you thought how many years it takes as a security wonk to earn $1,000,000?

  11. Wade

    So, this latest news indicates that, contrary to prior assertions, the compromise was NOT confinmed to mag stripe data or to the POS platform. This type of data would not normally be resident in either. Its unclear if this addtional data also includes additonal exposed card records.

    I fear we have not seen the end of this one…..

  12. Eric

    70 million individuals. The entire U.S. adult population, over 18, is 250 million. These numbers suggest that 1 in 3.6 people shopped at Target during the compromised dates. No way.

    The hackers got far deeper than just sales records over a couple of weeks. They got Targets entire database, or another entity beyond Target, to reach 70 million.

      1. Brett

        You are correct, it goes back further than Target is claiming. One of my cards was last used at Target on October 30.

        On December 26, my CC company halted a transaction where someone was trying to buy fuel at a Petro-Canada someone in Ontario, Canada. I told them I wasn’t in Canada buying fuel, so it wasn’t me doing it. So new card for me!

        Target has been very quiet about all of this, and it’s kind of upsetting. Based on my experience there’s no way it was such a small window of time where data was stolen.

        1. BrianKrebs Post author

          Brett, it’s not that simple. You can’t just conclude that because you had card fraud before the Target breach window that your fraud was the result of the Target breach. There are many breaches every month from retailers large and small. Chances are very slim of you ever finding out where your card was breached at.

          1. Brett

            True, I likely will never know for sure. But based on the fact that I didn’t use that card for much else aside from paying for propane service and my Time Warner bill, I’m thinking that it was something to do with Target. Either way, Target is on my crap-list of places to not buy from at the moment.

  13. jb

    They sell gift cards at the POS, and for some of them, collect information generally available on a drivers license during the sale, so that is probably the data that got compromised. I’m not ready to leap to the conclusion more systems were hacked, yet.

    I’m just rying to figure out if this is 40 + 70 or “just” 30 milllion.

    1. OhioMC

      This is the scary convergence of corporate compliance and marketing programs. To protect the franchise from employees selling alcohol to minors you set policy that cashiers must swipe state IDs, e.g. drivers license. If you do not purge that data but harvest it, you put your corporation in a position where someone can steal everything you read off the license (birthday, address, license number, physical descriptions)

      For libertarians, this is where the class action lawsuit takes the place of regulations. I’d be happy to be part of this one if license swipes were stolen – that seems potentially MUCH more damaging than losing a limited liability credit card.

      1. SandyBush

        You make a good point OhioMC, I never did like them swiping my driver’s license for cigarettes (and I’m 40 for crying out loud). I wonder what’s all on the driver’s license mag strip, date of birth obviously, but I wonder what else! Probably different in every state I’m sure! I know in Louisiana, my SSN is in the DMV database, but surely it’s not on the mag strip, although considering the Louisiana state government, it wouldn’t surprise me!

        1. Serena

          Wow, is it a law in your state that you must have a valid state ID or driver’s license to purchase cigarettes? And the merchant must record your ID or license #? That’s outrageous! Just viewing the date of birth on the ID should be sufficient, no need to record it.

  14. Sparrow

    So, Brian, any recommendations for credit and identity theft monitoring agencies?

    We didn’t use a debit or credit card at Target during that time frame, but we did provide ID to purchase allergy medication at the pharmacy counter.

    And that leads me to wonder if pharmacy records could have been breached as well…?

    1. Varun

      This is a great question.

      So often we get offers for free credit monitoring after a breach. Brian any insight as to what important services need to be included with such services and any companies come to mind?

      1. BrianKrebs Post author

        The theft of email addresses and phone numbers from Target customers will probably mean those folks will get more email and phone solicitations and scams.

        But IMHO, there is a close to zero chance that thieves could use the information stolen from Target to perpetrate identity theft directly. Many people conflate credit card fraud with identity theft, but these are two very different problems. The former is quite easy for the consumer to resolve, and he or she has very little (if any) liability for fraud. Identity theft, on the other hand, generally involves the creation of new or synthetic lines of credit in the consumer’s name, which can take many years and cost thousands of dollars to resolve. Check the FTC’s figures, but they have some scary stats on the average cost/time/hassle involved in resolving real ID theft issues.

        The reason Target is offering ID theft protection as a result of this breach is that this step has become part of the playbook for companies that suffer a data breach. Since most consumers conflate credit card fraud with ID theft, many will interpret that to mean that the breached entity is somehow addressing the problem, when in reality this type of response mainly serves as a kind of “first response” to help the breached entity weather public outrage over the intrusion. I’m sure the companies involved in selling ID theft and credit monitoring services are very happy about this. A good question to find the answer to would be on average how many people continue paying for the ID theft protection after the “free” protection offered by the breached entity expires. I bet the number would surprising if you could get anyone to tell you (Lifelock?).

        1. JCitizen

          My only problem with Life-Lock was that when it started, people seem to forget that there was some serious concerns on the reputation of the guy that founded it. I believe he resigned as CEO to help deflect any of these concerns, but to be fair this site seems to have done a thorough look at it:

          http://www.scambusters.org/identity.html

          I simply signed up for my monitoring through my password manager – that way I get the alert instantaneously that someone checked or tried to use my credit.

        2. saucymugwump

          @BrianKrebs
          “But IMHO, there is a close to zero chance that thieves could use the information stolen from Target to perpetrate identity theft directly”

          This is not necessarily true for customers with Target-branded credit/debit cards, as the application process involves SSN and DOB. Target’s online credit card application states that “The REDcard credit cards are issued by TD Bank USA, N.A.” with TD Bank translating to The Toronto-Dominion Bank.

          The online application also states that “By applying for a Target Credit Card, you agree that you are providing contact information from your application to TD Bank USA, N.A. and Target Corporation for their use, including marketing.” This statement implies that Target keeps a copy of the application data for marketing purposes — and we have seen how all of Target’s databases have been accessed.

          1. saucymugwump

            To add to my comment for the bankers here.

            The Toronto-Dominion Bank states on its website that “TD Bank is one of the 10 largest banks in the U.S.”

            But according to the U.S. government, TD Bank is #14 on the list of largest holding companies (see URL below). TD Bank is probably excluding some quasi-banks, e.g. Goldman Sachs and GE Capital Corporation, to make its claim. Still, even #14 means we are dealing with really large entities.

            http://www.ffiec.gov/nicpubweb/nicweb/Top50Form.aspx

        3. TheOreganoRouter.onion

          A person can get free basic credit monitoring through this website

          hxxps://www.trustedid.com

          1. saucymugwump

            First, that report is not free; a 14-day trial is offered.

            Second, you will need to give SSN and DOB for credit monitoring. You need to be very sure you can trust a credit monitoring service.

        4. SandyBush

          Krebs, I’m DYING to know if you ever heard anything more from “Helkern” after you turned down his $10k offer? I would LOVE to read a follow-up story to that one!

      2. SandyBush

        Varun, most of those companies charge you money to do what you can accomplish for free. The Federal Trade Commission gives you one free credit report per year, per credit agency, at annualcreditreport.gov Instead of getting all three agencies once per year, I spread it out and get a report from one agency every three or four months. Its free and it gives you everything those companies charge you for, except your score.

  15. Scott

    Brian,

    Have you heard if there is any indication that this had “inside” help? It is appearing to me the more we uncover that the attackers had “help” on the inside. Just an observation.

    I can see many many phishing attempts coming in the future. The email addresses may be worth more in the long run as the credit card numbers.

    Thanks again for all your reporting Brian!

    Scott

  16. rb

    Brian, can you add anything to this statement in the last paragraph? In what way(s) are these folks spooked?

    “This lack of communication appears to have spooked many folks responsible for defending other retailers from such attacks”

    1. SandyBush

      I think what he meant was this, other companies want to know how the hackers got in so they can make sure there company isn’t vulnerable to the same style attack.

  17. JCitizen

    Good questions Sparrow and Scott! Until Target releases enough details to point to how this breach occurred, I hold them continuously responsible for repeat problems all across the economy. Perhaps we need a law in congress forcing the Secret Service and the FBI to at least release mitigation information through channels that would include IT and Banking security professionals.

    All these questions of how the frick they lost the data are maddening – we should demand accountability or put a boycott on Target! I hate to say it, because they are one of my favorite stores, but I’ll probably never shop there again until this information is made clear.

  18. Michael

    The information that’s public suggests this has very little to do with POS malware or even the POS terminals themselves, since it appears every store in the United States was affected. It looks very much like the servers at Target’s HQ themselves were owned, hence the two databases getting scraped.

    1. RBBrittain

      Actually, Brian’s early reports make it VERY clear that the POS terminals were breached; until now, the extent of the breach Target has admitted to (i.e., unencrypted magstripes plus encrypted PINs) has been consistent with that theory. Also, what little Target’s CEO has put out suggests that though every Target *store* was affected, NOT every *POS terminal* was breached.

      It’s almost certain that, at the very least, the perps managed to get their malware into a large proportion of Target’s POS terminals (though probably not 100% of them). Whether that was due to lax store-level security, hacking into a “ghost” or similar image used to update the terminals (reportedly the terminals operate in a virtual machine environment), or something else is another matter.

      What we DON’T know about this new revelation is exactly HOW these perps got the additional data. It’s possible it flowed thru the infected terminals, but with apparently an additional 30M non-duplicate customers affected it’s very possible they hacked into a DIFFERENT database. Either way, that makes the potential damage even WORSE than previously disclosed, especially since I know Target has ACH data in both the POS terminals (from checks) *and* central databases (for REDcard debit cardholders) that could be used to generate fraudulent checks and/or direct debits…

  19. PR

    Target says personal data stolen could affect past shoppers, not just those who visited the store recently

  20. Alan

    This raises the question of where else did they get to? Track 2 does not store address and email data. Does this mean that it is now expanded to online purchases? Did they get into the Corporate Accounting DB? This is blowing up very large, very quickly. This could be the end for Target.

    The other question is this: Are the banks/credit unions going to back their customers? To what extent? What if in a month we find out SSNs are included in this. Identity theft is a long, painful, and expensive process for each customer.

  21. Anon

    ….shopped there online (so name, email, address, etc.). Someone used our card number to try to spend aprx. $4000 & $400 on the other side of the U.S. Fortunately flagged by our bank (who did, btw, send out a warning email after the breach).

  22. Tim Riley

    The impact on consumer trust is substantial. I was in Target shortly after your first announcement and people were specifically using cash. After reading Target’s full press release this morning, their immediate hit to sales and earnings from the breach should serve as further warning of the high cost and business disruption from a data breach. Every CEO and CIO should ensure that data protection is consistently near the top of the list.

  23. David Biser

    This is truly a vast intrusion and we are only hearing small bits and pieces of the puzzle. This is probably being done for a reason and for damage control by Target. As time passes I am sure we will hear more tidbits of information released and they hope that by slowly releasing this information it will keep the public from picking up on the big picture.

    There are a variety of issues at work here, including those mentioned in Mr. Kreb’s post and the inclusion of email addresses, physical addresses and other personally identifying information increases the opportunities for criminals to pursue identity theft against the victims.

    The credit card numbers will be matched up with the other information to assist in the identity theft. If you shopped at Target, either on-line or in person, then you need to ensure that you are checking your accounts and engaging with a service that monitors these things, for your own protection. You certainly do not want to wait until your identity is fully stolen before taking steps to protect yourself!

    In a current case I have personal knowledge of, thieves are posting items on a well known auction site, then when the item sells, they order it via a stolen credit card and have it shipped to the buyer. Most buyers aren’t checking the receipt and never notice that it was bought by someone other than the person they ordered it from and the theft continues! These credit cards are used once and then recycled so most credit card agencies and banks never pick up on the fraudulent purchase. A very clever and sublime usage of stolen identity!

    Watch Target closely, there is more to come!

  24. Don

    I noticed that Target’s POS devices are windows based.
    I saw the Windows ‘splash screen’ when they rebooted a cash register. One would have to wonder how hard it would be to exploit a windows vulnerably from any register. If I gave an employee a hundred dollar bill and a flash drive…

    Brian, thanks for all you do.

  25. Nate

    I have worked in IT applications for several retailers. Security is not taken seriously. Databases with common accounts and passwords for “read only” views, encryption bypassed or ignored for sensitive data, etc, etc. There are many problems.

    The business teams (marketing, accounting, etc) are clueless about data security in general, and when IT makes it harder for them to access that data, they get upset. Your retailer mailing lists are often stored in plaintext in databases, or even just in big excel files! I’ve seen queries executed by business users “select * from customer join transaction”, where it’s clear they are pulling the *entire customer and transaction list* into their tool, irrespective of what columns they really need.

    IT is full of poor practices as well. The folks that many retailers hire in permanent security positions are often glorified network administrators, with very little knowledge of how to secure applications and databases. They might be able to set up a firewall or a PGP key, but that’s about all they learned at the 2-year ITT tech program. The programmers themselves are clueless as well – when they encrypt data, they store the key somewhere easy to get for anyone, and don’t salt the records they store.

    To correct this, IT needs *every* individual working there to understand how to secure their systems, and *why* it is so important to do so. Until the BAs, PMs, Developers, DBA’s, and sysadmins are all on the same page, we’ll be seeing breaches like this for a long time to come.

    1. greenja

      This post validates a lot of concerns (wonk side) and opportunities (dark side). I sure hope Brian and others can publish the truth.

      This is a material effect on Target and its continuity of business. I think SOX will require them to make some public disclosures, all of retail (and backoffice) need to know where the vulnerability was acted upon.

      Just social engineering? Layered defense failure? Policy neglect or violation? Combo?

      I (we) went thru a 4 million PII record loss a few years back. The CIO and CSO were walked, (even the CSO was squawking about the concern before the loss).

  26. TheOreganoRouter.onion

    Posted this article on the Target Facebook official site , to inform the customers who where affected by this unfortunate breach

  27. Chris Forsythe

    Do you have documentation that includes:
    What specifcally is on a EMV CHIP? Specific Detail, Format, Encryption Used, per card brand among anything else?

    I’ve read conflicting reports. PIN is Yes/No, Encryption is Yes/No, Secret Key, Dynamic vs. Static verification code.

  28. Jasmine G

    As a Target store credit card customer, I can see now where Target has become extremely sloppy with the security of cardholders information.

    I don’t use the card often, but I’m signed up for every e-notification possible. It used to be that whenever I used the card, I’d be hit with a text message alert even before I left the store. In the past 10 years, I haven’t made any single large purchases, just small ones, but within the past year or so, I’ve noticed that it takes a minimum of 3 days for me to get a text or email alert telling me that my card has been used inside a Target store.

    Yesterday, I bought a pair of expensive Bose headphones. Not a word from Target, not a text message or email alert, even though this is completely abnormal for my buying habits with this card. I even double-checked my card security alert settings online, to make sure I hadn’t changed something.

  29. Ursula

    I have been a loyal Target customer for years. I can’t stand Wal-Mart and I like the quality of items I can find at Target.

    I appreciate everything Target is trying to do. Obviously I do believe they were not adequately prepared to protect their systems and their customers’ data from criminals.

    Personally, as soon as I saw Krebs’ story regarding the breach, I drove to my bank and cancelled my debit card that was used at my local Target on Black Friday. The biggest pain I had to deal with so far was waiting for two weeks to get a new bank debit card.

    However, I know many people who have had issues.

Comments are closed.