Target hit by 40m card credential breach

News by Steve Gold

Target card breach, "echoes of the infamous TJ Maxx incident of 2005" - Graham Cluley.

Target Corporation - a US retailer with more than 1,900 stores across North America and an annual turnover of US$ 73 billion (£44.6 billion) last financial year - has been hit by a major credit and debit card data breach affecting 40 million of its customers.

In a press statement issued in the early hours of this morning, Gregg Steinhafel, the group's CEO, confirmed the story broken by security blogger Brian Krebs, saying: "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence."

"We regret any inconvenience this may cause - we take this matter very seriously and are working with law enforcement to bring those responsible to justice," he said.

Target is the latest in a long line of US retailers to be hit with a card-based data breach problem.

TJX - trading as T.J. Maxx and Marshalls - suffered a major breach back in July 2005 that exposed at more than 45m credit and debit cards to potential fraud. That breach was not detected until the end of 2006 - and in 2009 TJX agreed to pay US$ 9.75 million (£5. 96 million) in a settlement with multiple US states related to the massive data theft.

In 2012, meanwhile, Global Payments, the Atlanta-headquartered payments processor - which processes transactions across the Northern Hemisphere, including for merchants in the UK - was hit by a data breach involving millions of cardholders.

According to Target - which is the broad equivalent of Tesco or Sainsbury's in terms of US/Canadian retailing - the breach involve card credentials from its store, rather than online, shoppers. The US Secret Service – tasked with protecting the integrity of electronic transactions in the US - has been called in to investigate the breach, which took place between November 27 and December 18 this year.

Security blogger Brian Krebs - citing two unnamed sources - says that the breach was initially thought to have extended from Thanksgiving 2013 to December 6.

"But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week - possibly as far back as December 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company's main street stores during that timeframe," he noted in his posting made yesterday. notes that most US card issuers do not use the EMV smart card - aka Chip & PIN - system first launched in France in 1992, preferring instead to use the legacy magnetic stripe system.

This makes it a lot easier for criminals to `clone' and use the cards - and many magnetic stripe versions of cloned cards from Europe and the UK end up being used in the US for this reason.

Commenting on the breaking story on Target, Gavin Millard, EMEA Technical Director with security vendor Tripwire, said that the full extent of this possible breach are still not known but if Brian Krebs is correct, this could be one of the biggest of its kind.

"The two worrying aspects to this breach are the timeframe, because it occurred on the busiest shopping period in the US calendar year when millions flood to the big box retailers and the fact that the “track data” was captured, enabling the attackers to create counterfeit cards," he said,

Security researcher and analyst Graham Cluley - who has worked at multiple security vendors, including S&S International back in the 1980s and 1990s - said that the Target card incident has echoes of the infamous TJ Maxx incident [of 2005], where millions of credit card details were nabbed by hackers.

"In that case the criminals exploited weak WiFi encryption used by the stores to make off with the valuable data," he said.

"Although we don't know the facts yet about how the criminals broke into the Target computer systems, it's probably a good time to remind retailers of how to better protect their data, and the identities of their customers:

• Keep computers that store sensitive data, such as customer records, separate from your public facing website and servers.

• Ensure that sensitive data can be accessed by only those employees who actually need access to it.

• All sensitive data should be securely encrypted. There are more ways to lose data than via an electronic breach. Misplaced or stolen computers, CDs and USB drives can all be sources of information for criminals.

• Harden your Web site, so it is not vulnerable to attacks such as SQL injection.

• Ensure that all points of your network are protected by good quality security software, control the use of USB sticks, and deploy Web security filtering in place to keep employees safe when they're online.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews