6.8 million Target card credentials traded, losses approach $1 billion

News by Steve Gold

With 6.8 million compromised records costing an average loss of $136 (£82) per record, potential costs of the Target breach are some US$925 million...and may exceed a billion US dollars.

The fallout from the Target Corporation data breach of late last year - in which more than 40 million card credentials and user details were stolen from the US retail chain – is rolling onwards. New reports detail a further 2.8 million sets of stolen credentials being traded on ‘carder forums', while US banks are now saying that the fiasco has cost them at least £120 million (US$200 million) so far.

The banks say that around 21.8 million of the 40 million cards have been replaced, whilst both Target and Neiman Marcus - a second US retailer hit by card credential losses - failed to show for a Tuesday briefing in Washington with the US government, which is investigating the breaches. As an aside, the US government was reportedly displeased at the absence of both retailers, especially as they had sent out multiple invitations to the hearings.

According to security researcher Brian Krebs, the volumes of valid card credentials stolen in the Target data breach is shrinking, forcing cyber-criminals to offload the stolen card details onto the black market at knockdown rates.

Indeed, prices on the latest batch of 2.8 million cards sold are said to have fallen by at least 70 percent. In the middle of December, card credential sets - which include a variety of data on the cardholder - were trading at between US$ 26.60 and US$ 44.80 (£15.97  to £26.89), says Krebs, adding that the price has now fallen to as low as US$ 8.00 (£4.80).

He says that this trend is being driven by the potential success rate on fraudulent purchases falling to 60 percent on the latest batch of 2.8 million - down from 100 per cent on the initial 4.0 million stolen Target card credential sets.  

Two US organisations - the Consumer Bankers Association and the Credit Union National Association - now report bank losses from the Target breach as having topped £120 million (US$ 200 million). This figure does not, however, include the cost of any fraudulent activity and stems from the costs associated with replacing 21.8 million of the affected cards. 

Breach costs will be higher still

Commenting on the Target cost revelations, Steve Smith, managing director of security consultancy Pentura, predicted that the total bill for these breaches will be higher still. He cites a 2013 study by Symantec and the Ponemon Institute as placing the average cost of a data breach at £82 (US$ 136) per compromised record.

With a potential cost going beyond the billion-dollar mark, Smith says that "prevention really is far cheaper than a cure." 

Barmak Meftah, president and CEO of AlienVault, the open source security software firm, added that, when a major breach occurs, it is vital that other major retailers step up their security to high alert and take lessons from what has happened because in all likelihood - they will be next. 

"This was recently witnessed with Neiman Marcus and other major retailers in the US being hit using the same techniques used in the Target breach,” he explained. 

Lamar Bailey, director of security R&D with TripWire said that a chain is only as strong as its weakest link - and Target learned that lesson the hard way last year.

"It has been a common occurrence for organisations to be hacked via weak security at their partners or supply chains. What happened to Target and Neiman Marcus is nothing new but they were affected on a much bigger scale," he said. 

“For many years the US card issuers have neglected to move to more secure credit card technology because of the cost required to upgrade the cards and infrastructure, with the large expense being replacing stolen cards and money for consumers,” he added.

"I hope this will change the card issuer's minds. Since Target and Neiman Marcus representatives decided not to appear on Capitol Hill, I expect we will see some discussions about new privacy and credit laws coming from the US Congress in the coming months."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews