06
May 14

The Target Breach, By the Numbers

News that Target’s CEO Gregg Steinhafle is stepping down has prompted a flurry of reports from media outlets trying to recap events since the company announced a data breach on Dec. 19, 2013. Sprinkled throughout those reports were lots of numbers, which got me to thinking about synthesizing them with some of the less-reported numbers associated with this epic breach.

numbers40 million The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.

70 million – The number of records stolen that included the name, address, email address and phone number of Target shoppers.

46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

100 million – The number of dollars Target says it will spend upgrading their payment terminals to support Chip-and-PIN enabled cards.

0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).

0 – The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).

18.00 – 35.70 – The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).

1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3-7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).

53.7 million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).

55 million – The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure as Target’s chief executive.

Update, May 7, 10:00 a.m. ET: The Guardian yesterday ran an op-ed that I wrote about the departure of Target’s CEO and the need for greater focus on security from the top-down across the retail industry.

Tags: , ,

136 comments

  1. I’m so glad you made that point about the chip and pin cards/terminals. Everyone is placing such an emphasis on those cards as the future of protection for consumers, but it’s just a band-aid to a much larger problem.

    • Totally agree, I can’t stand hearing all of these people claiming that we are so far behind Europe etc… If someone can tell me how Chip and Pin can be used to protect my online purchase from Amazon then I will change my mind but unless they have the flying drones to come swipe my card then they are just clueless to how the technology works.

      • With Chip and PIN, Target would have had a one use only code in place of the CVC2. Thus, the real CVC2 could still protect online transactions. No, it’s not a panacea, but it is an improvement and more are in the works.

    • I do not agree. With my Belgian chip-and-pin card I must validate my online transcations with my pin code (by means of a redirection to my bank site).
      So “misuse” of chip-and-pin cards does not change anything, but if used “correctly” yes!

    • Right on Vinny! HA!

      0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing

      I wished all news outlets would do more follow up reporting like Brian does – sometimes the follow up is more interesting that the original breaking news!!

      KUDOS to Brian for being a QUALITY journalist!!!!

  2. Allan Miller

    Wow, sounds like the hackers are well trained for the CEO position!

  3. The most depressing number is the last one; $55m for overseeing a stuff-up of monumental proportions while the workers at the bottom of the heap who do a good job get a pittance. No doubt they will tell you they’re an ethical company…

    • Yes! Good old Greg earns $1.38 for each and every card stolen.

    • And just think, they probably thought that 55 mil was cheap!
      Typical board room mindset that traps us all in the same work for a living world while some few, obviously non-deserving muckheads get to retire on our hard earned cash.

      A symptom of what wrong with Big Business, lose our information, use our money, charge us fees to shop at your store, then screw us again when you lose our PII.

    • Don’t you mean “while the employees at the bottom IGNORE alerts”?

  4. It’s really hard that the US, which invented the credit and debit card-based business, has fallen behind Europe in this matter. Almost every German bank has switched to Chip and Pin several years ago, the same counts for the UK.

    • Allan Miller

      Although, if you read the article, one of Brian’s points is that Chip-and-PIN wouldn’t have changed anything in the Target breach, since the mechanism of the breach involved compromising the point-of-sale terminals, not the cards.

      • While it is true that chip-and-PIN wouldn’t have kept the card data from being stolen, what chip-and-PIN can do is make the cards much harder to copy.
        With just the credit card number and expiration date you can basically do squat with the card (at least in Germany). For online transactions you would need the CVV2 code, for brick-and-mortar stores you need the PIN to decode the chip’s contents.

        Making fraudulent copies and using those to go shopping in other countries will be picked up by the banks as unusual behaviour and denied VERY quickly.

        • Yes, I’d agree here. I beleive Chip and PIN would definitely make a difference because it would limit the fraud to only online retailers that do not ask for CVC2 codes (which hopefully is a small number of merchants?)

          This would make the stolen data much less usable and therefore less valuable to a thief, so I think Target would have been less of a target 😉

          • Brian,

            An article on the strength and weaknesses of the older magnetic strip credit cards used in the U.S., the proposed Chip and PINs (with and without full encryption enabled), and I believe a vendor has proposed another type of credit card that would not need current POS hardware to be changed out, would be interesting. Especially pertaining to their strengths and weaknesses in various breach/attack scenarios. Perhaps put each type of credit card in a scenario of a high-profile hack that has already occurred and see what the outcome could have been, i.e. Target, Michaels, TJX, White Lodging, fake terminals, etc… Of course with a new type of credit card the type of attack would change, but it would still be interesting to see how each would perform and what lessons could be learned.

    • Cowchip-N-in the Pen needs to die!

      February 2008
      http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf
      February 2010
      http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html
      ” ”
      http://news.bbc.co.uk/2/hi/science/nature/8511710.stm
      September 2012
      http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

      Video summary of above report
      http://www.bbc.co.uk/news/technology-19559124

      There is better cheaper technology out there – Lets Keep-It-Simple-Stupid(KISS)

      • Citizen – next time you feel like cloning my work, be my guest, but please be so kind as to provide a URL for others. Otherwise it seems like plagiarism.

        The material (and much more) is located at
        http://nc3.mobi/references/emv/
        where you’ll see an update citing Mr. Krebs’ post with a URL clearly indicating the source.

        • I’ve had those links sitting in my note files for what seems like at least a year, I can’t remember where I got them – I’ll try to note that in the future, although I usually do that anyway if they are part of a post. I usually include the poster’s forum ID.

          I’ve added your source URL to the note and your KOS name. I will refer it that way from now on every time I use that note. Thanks for your consideration!

          • Thanks for the reply and future action. I try to post contents of my pages and limit posting my own site URLs to avoid being considered a self-promoter instead of a research-disseminator. That particular page gets updated as more nails are found for EMV.

            Shareholders of Target wish they wouldn’t spend big bucks money on something that is already of questionable value. I did contact them in January. They’ll “get back to me”. They could be at the forefront of a real solution instead of participating in security-theater.

  5. “CEO Gregg Steinhafle is stepping down”

    “55 million – The number of dollars outgoing CEO Gregg Steinhafel stands to reap in executive compensation and other benefits on his departure”

    So it’s not just in the UK that the powerful (Cabinet Ministers, CEOs, etc.) can get paid when they choose to leave office. For the rest of us when we resign (or do not seek a new contract) we get nowt.

    Surely executive contracts that require “payment for failure” also represent a security breach?

  6. A significant and hidden cost would possibly be the loss of consumer confidence in the use of cards generally, and would probably amount to a far higher loss to retailers than disclosed so far.

    • Completely agree. In the past, I used my debit card everywhere, and a credit card on line, but I wasn’t too concerned because I rarely shop at Target. Then my card was used and I received the notice from Target about my info having been stolen. I had last used my debit card there 3 years ago. I’m not positive it was the Target breach that lead to my info being stolen, so now my new card is used at the ATM only.
      I use my credit card only at a few places – and I haven’t made any online purchases in 2014. I now use cash unless it’s a large purchanse – then it made with a credit card.

  7. I see this severance package for incompetence with most mega-companies. The CEOs bag their “Golden Parachute” and move on to another mega only to repeat this ridiculous cycle.

    The customers are stuck with the bill via higher prices.

  8. Folks just need to stop shopping for one. Target sells nothing but cheap brightly colored junk of no lasting value or durability. All their product are manufactured overseas and every dollar spent goes into propping up a completely broken economic system. Secondly, the captains of finance, golden parachutes and all, are the heart if the problem–quite simply these people do not care. Because Money. Because we are the monetized serfs. It is not just hackers buying and selling all our infos. These guys and their corrupt unethical business sense – just this nasty zero sum game that has sucked all the life and economics from the local so that it is now all funneled through Wall Street are on the inside and we are just their victims. The blame lays in the guys at the top. The hackers are the low life cockroaches and rats living at the bottom snarfing up the crumbs of the feast that is our commoditized broken lives.

  9. Where does the $200 mill buck stop? Is Target accountable for the bank’s costs because their systems weren’t secure enough? Or do the banks make enough from Target transactions that they don’t care?

    • That depends on whether a PCI-DSS audit is conducted on Target.
      If they were found/have already been found to be compliant with this standard for handling credit cards, then the credit card companies and banks are on their own.
      If Target are found not to be compliant then it’s time to deploy the litigators.

      • They were compliant at their last audit – that said, the company that conducted their audit is suspect, and in fact has been named on a lawsuit regarding the breach. There was a lot of conversation at the last PCI Community Meetings about how suspect this auditor is, and that while they are the most expensive, you are basically paying for compliance regardless of your actual compliance.

        Who is at fault? Target for misimplementation in a complex environment? The auditors for missing it? The PCI counsel for standards that arent clear and can cause as much of a problem as a solution?

  10. while chip and pin doesn’t stop online fraud, it does mitigate against counterfeit fraud – ie. making a physical card from the online card data and then trying to draw money out of an ATM or using the card at a bricks-and-mortar merchant.
    counterfeit fraud appears to have migrated to those geographies where chip-enabled transactions are not supported.

  11. Numer of cards that were used successfully by the criminals after they were sold were turned into counterfeit cards. These successful fraud attacks would have not worked if chip and pin were in place at merchants. Because the cvv code that was compromised was the card present one, most online retailers (as long as they ask for and use cvv) were protected.

    To say chip and pin wouldn’t have helped is incorrect, the card info would have still been stolen, it just would have been useless.

    I am not saying chip and pin solves everything, but it would have made a major difference in this breach.

  12. TheOreganoRouter.onion.it

    Steinhafle is a corporate clown who’s leaving his job with millions of dollars in compensation , while the workers at Target still don’t make a livable wage

  13. The possible 55mil he’ll get is absolutely ridiculous. Wake up folks! You might as well be flushing that down the toilet along with all the other money Target’s lost this past year.

    And then there’s this… “0 – The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP)”

    How about taking that possible 55mil & increasing the Target employee wages plus hiring a CISO or CSO? MUCH better investment than giving it to a failed CEO!

    • There is nothing wrong with the money he received. It was negotiated and in writing.

      If you want to blame someone, blame the Board of Directors, who drafts and approves these packages.

      • “If you want to blame someone, blame the Board of Directors, who drafts and approves these packages.”

        But of course they are probably on similar packages.

        In the UK you have to blame the major shareholders who will not even vote against (non binding) remuneration motions.

        But of course the major shareholders are big fund managers and their directors are probably also on similar packages.

        What would happen if “equality legislation” could be used to say that shopfloor and office workers who resign should be entitled to similar payments?

  14. I wonder what the actually number of unique PANs they compromised. I know I went to Target twice during the time of the breach and I’m sure I’m not the only one with multiple trips. So that 40M number is highly suspect. Probably more like 10M to 20M at the most of unique PANs.

  15. $61 million – data breach expense recorded in 4th quarter 2013, per Target’s 10K

  16. Manoa Kahuna

    Dear Brian,

    Thank you very much — again.

  17. $499.99 – The price of the XBox One that some mule used my card number to buy AT TARGET.

    • Something expensive but easy to sell on eBay and turn into cash. Sorry to hear you got hit.

  18. So well laid out and informative when digested taken together. Thank you B. Krebs.

    Such a great point about the chip and pin weakness in Target’s environment.

    piece de resistance…

  19. There was an article on NPR this morning that said the CEO was really fired because of a botched expansion into Canada that cost Target 1 billion last year. He could have survived the breach alone, but the “1-2 punch” was too much. Depressing news for a security guy…
    http://www.npr.org/2014/05/06/309996990/target-ceo-out-after-data-breach-canadian-expansion-misstep

    • That is pretty true. As an ex-target guy, I can speak to the failure of Target Canada. Instead of giving US stores a much needed makeover and update (in terms of technology, infrastructure, and cosmetic appeal) to make them better stores, they launched Target Canada. Due to this, stores like ones I oversaw (older, but still generating tons of revenue) ended up going from the top of the list to be renovated, to a 3-10 year outlook for such an update.

  20. Wow amazing how many people think they know how EMV Credit Cards work. Actually if you run the fraud numbers in Europe when they went pin and chip it had Zero effect on fraud numbers. It shifted all the fraud online which was a wash. So not only are businesses out the money but they they will have almost no effect other then to shift counterfeit cards fraud to fully online fraud which we are still not prepared to stop.

    CVV2 while a good measure is not required to process a credit card. Some processors ask for it but don’t even validate it to save on processing time. Also did anyone here ever take the time to learn about the track one and track 2 data stored on a credit card. Only a few more pieces of data and you identity could be stolen and used to buy more cards.

  21. Unless the new Target CISO reports directly to the Board of Directors, as it should be, they will fail.

  22. As many others mentioned, EMV would not have prevented much related to the Target data compromise. EMV, as a 15 year old technology only helps secure card present transactions and does nothing to secure e-commerce.

    All country level deployments of EMV have resulted in reduced card present fraud, but increased card not present fraud. It’s the fraud “squeeze” effect. EMV was not designed for security, it was designed to accommodate antiquated telecommunications systems in Europe. The credit card data must be decrypted in order for the transaction hand off from the chip to the terminal which will become the default attack vector.

    A much more promising technology is Host Card Emulation (HCE), a newer google technology, that would allow for EMV level of security for both card present and card not present transactions.

    It would allow for at least dual factor authentication for both transaction types and the flexible architecture would allow for additional and automated authentication such as geo-location, MAC verification, IP verification, various biometric, etc.

    Let’s not catch up to the Europeans and other countries currently on EMV. Let’s leapfrog with better technology which is now available.

    • That doesn’t sound like the US at all. Have you met us? We like to come up with “big ideas” sell them off, and then go back to doing things the cheapest way we can get away with. How else would our economic aristocracy skim our livelihood off the top?

  23. Sounds like CEO Gregg Steinhafel’s comp was a little more money than the hackers who stole the card data. I guess you can say the Target loss was split 50/50.

  24. “0 – The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).”

    This is the worst part, i cant believe that a huge company that stores credit cards data of clients doesnt have those positions in their organization, hope they have done something to fix this.

    • There are many companies, even publicly traded ones, who do not have CISO’s or Chief Security Officers. And, if they do have a security department at all, it most often times falls under the CIO or CTO, which is a mistake of epic proportions.

    • You would think of all large retailers, Target would now realize the importance of putting a security seat at the executive management team table.

  25. I know lots of people, myself included, who shopped at Target last year right before the breach occurred yet was never issued a new card or even contacted about it by the bank/credit card company.

    Did the breach compromise all of Target’s records on file or was it a partial breach?

    • If you got an answer to this question, would you believe it? Because, the only people who actually know the answer are the ones who committed the breach, and by definition, they’re not exactly honest.

  26. In France we all have chip and pin cards. As a stranger you’ll probably have issues if you want to pay using American Express cards. Actually it’s quite difficult for us to understand that magnetic stripe cards only still exists. But I agree it’s not a solution by itself and without a global security thoughts we’ll still have to read at Kreb for the last major robberies.

    The numbers you give us are just incredible. No CSO in such a big company, and with a 46% loss. How can they still think it’s not mandatory to have such a person. Actually it should not be only a person but a whole team.

  27. I like the disclaimer for chip&pin that it must use E2EE not P2PE. P2PE is all I really hear being bandied about but E2EE is really where it’s at.

  28. 0 – The number of people in Chief Information Security Officer (CISO) or Chief Security Officer (CSO) jobs at Target (according to the AP).

    This is a little bit misleading. If you follow the link it says that the CISO resigned after the breach. It doesn’t say that there was no CISO. Also where does it says that no one got the responsibilities of a CISO after the resignation.
    Let’s not try to mislead just get everyone’s reaction

  29. I used a Target debit card 2X during the breach period. So far, I have not been affected. In fact, Target informed me in writing that their debit cards were not compromised by the hack.

    I shop at Target regularly. I get 5% off w/ my debit card. I use their Cartwheel program for additional significant savings. They have the best price for my cleaning supplies and paper products and my favorite Tazo tea. Plus, it’s just fun to shop at Target. I enjoy it.

    I have been affected 3 x during the past 3 years by security breaches: a Macys gift card, my medical info was stolen along with others by an Advocate office computer theft and the Target breach. Knock on wood, so far so good, but I only see these types of thefts increasing.

  30. Kevin MacMillen

    Lots of comments concerning Chip/PIN. There is no doubt that the technology reduces card-present fraud, but does little to combat eCommerce fraud when a PAN and expiration date are stolen. The 30+ eCommerce sites in my organization have a mandatory CVV field with a hard decline if no match is made, on the pay page – which helps a lot. The trick for the hacker though is to get the PAN in the first place. My understanding of the process flow in an EMV transaction is that the chip produces an Authorized Request Cryptogram (ARQC) to be sent to the Acquirer for payment authorization. The PAN is not given to the terminal – the ARQC is. So I believe that modern CHIP/PIN technology at Target would have resulted in no card numbers being stolen by the tampered POS terminals and related processing software. The hackers would have scraped forty million useless ARQC’s.

    • Not neccessarily true…but regardless, they can have my credit card # all they want as I’m covered from losses. It’s my PII that I’m worried about. they key here, in my opinion, is not the stealing of PAN but of breach itself. Chip and Pin will not stop breaches. Until the onus is placed where it should be (protect the customer not the banks) we’ll continue to argue about senseless topics.