This morning I awoke to news that the US based retailer Target has fallen victim to a data compromise. This story was first broken by Brian Krebs yesterday and there is still a great shortage of details as to the "how".
From Brian Krebs:
Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.
“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
This is a real shame for both Target and most importantly their customers. Today the folks at Target posted a release confirming the breach.
From Target press release:
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.
40 million. Wow, that's unfortunate. I can lay even money that I'm among the affected customer base. I have a hunch that this was a breach that occurred someplace in the IT supply chain as opposed to the company directly. This is just a hunch mind you.
Blatant self promotion warning: I was set to deliver a talk at Deepsec this year called "Supply Chain: The Exposed Flank" which was to speak to this sort of thing. Sadly I blew out my back and could not travel. I hope that I'll get to deliver it in 2014 at some point.
While this type of breach could not be avoided by the end user it is a good idea to practice some basic safety online.
With law enforcement involved I imagine it will be a while before we hear the details surrounding this data breach. I hope this gets sorted to the benefit of their customer base in short order.
So while we wait to hear, what can you do? First and foremost take the time to check your banking transactions to make sure that you don't have anything amiss. As well, make it a habit to check your credit card statements.
The biggest of all is to check your credit rating. There are several services that provide you with this ability. Here are three in no particular order that you can leverage.
Be ever vigilant.
(Image used under CC from Roadsidepictures)