Target issued a statement this morning confirming reports by security journalist Brian Krebs that it was the victim of a massive security breach. The breach—which began on or around Black Friday—resulted in the compromise of an estimated 40 million customer credit card accounts.
It’s a simple fact that the dramatic spike in shopping and consumerism during the holidays results in an equivalent jump in cybcercrime. Cybercriminals know that people are so busy shopping that the pool of victims is substantially larger, and the odds of success are much greater because consumers aren’t monitoring their spending and credit card statements quite as closely during the holidays.
The fact that these hackers chose Target is a sort of dubious honor for the retailer. Essentially, it’s an acknowledgement of just how popular Target is for holiday shopping.
Right now, there are probably more questions than answers. Target claims that the source of the breach has been resolved, but the investigation into the root cause, or the conditions that allowed such a breach in the first place are ongoing.
The breach affects customers who shopped in actual brick-and-mortar Target stores between November 27 and December 15. By the time all of the dust settles, there’s a good chance this will rank as one of the most massive breaches of customer data to date.
James Lyne, global head of security research at Sophos, shared some thoughts on the attack. “It is claimed to be data stealing code on the terminals handling transactions though details are scarce. This means widespread deployment of malicious code across many terminals raising the question of how this made it through the build checks and whitelisting into Target’s standard. Even still, more details may come to light shortly but we should assume the worst.”
That said, Dwayne Melancon, CTO for Tripwire, points out a bit of a silver lining. “This has been compared to the TJX breach but one key difference is the time frames involved, at least based on the public data at this point. In the TJX instance, the breach began about 18 months before it was discovered. In this case, we are hearing about a compromise that occurred about a month ago—that reduction in discovery and disclosure time is dramatic. The fact that Target is already saying the breach vector has “been resolved” is another huge difference between this other high-profile breaches.”
Qualys CTO Wolfgang Kandek is among the 40 million customers impacted by the breach. “I did some traditional shopping at Target between Nov 27 and Dec 15, and so I am in the affected customer set,” explained Kandek. “Unfortunately, beyond canceling one's credit card (which is a hassle) there is not much a customer can do in such a situation.”
Lee Weiner of Rapid 7 has some words of caution for customers who may be affected by the Target breach—or even those who aren’t. ““Be wary of any communications from people claiming to be your bank. Incidents like this provide a great opportunity for other criminals to launch “piggyback” attacks. They can target you with a call or email claiming to be your card issuer, and then get you to give them your banking information, online security credentials, or visit a malicious website.”
Weiner says that any communication alleged to be from a bank or credit card provider should be treated as suspect. Do not share any information in response to an email or phone call. You should call the provider yourself—using the number on the back of the card—or open a new browser window and log into the bank or credit provider’s website directly to ensure you aren’t being redirected to a spoofed site.
Kandek recommends that users log into credit card and bank account sites more frequently to view pending and processed transactions for potential fraudulent activity. Aside from that, he says customers basically just have to trust the fraud detection algorithms in place a their bank or credit card provider, and hope that any suspicious activity is flagged.