Retailer Confirms Attack Infected POS System
By Tracy Kitten, December 24, 2013.
Target Corp. has confirmed that a payments breach that likely exposed some 40 million U.S. debit and credit accounts was caused by a malware attack that infected its point-of-sale system (see Target Breach: What Happened?).
Target CEO Gregg Steinhafel confirms the company is working with the Secret Service and the Department of Justice to investigate the incident. "This unauthorized access is a crime, and we are taking it very seriously," the company states in the latest notice on its its website.
Although Target is not issuing any details about the forensics investigation, Andrey Komarov, CEO of cyberintelligence firm IntelCrawler, says card numbers compromised in the Target breach are flooding underground forums and continued to be posted for sale as recently as Dec. 20. For now, forums with URLs based in Asia and Eastern Europe are being closely monitored for carding activity linked to compromised Target transactions, he says.
"It is important to analyze online underground shops for presence of compromised data in order to find any relations between bad actors trading the data and real hackers who made the intrusion," Komarov says.
Fraudsters know the compromised card numbers won't be good forever, he says, so fraud associated with compromised accounts will likely occur immediately. "In my opinion, this incident is very similar to the RBS WorldPay hack and Heartland Payments intrusion," he says.
Brian Krebs, the cyber-security blogger who broke the Target breach story Dec. 18, also blogged this week about cards associated with the Target attack appearing for sale in underground forums.
Bank ActionBanking institutions, including JPMorgan Chase, are working directly with their customers to address card fraud risks.
On Dec. 21, Chase told customers that debit and reloadable debit accounts identified as being at risk because of the Target breach would have temporary cash withdrawal and purchase restrictions of $100 and $300, respectively, until new cards could be issued. On Dec. 23, the bank issued a revised statement, noting that those cash and purchase limits had been raised.
"To minimize inconvenience to our customers, we raised those reduced limits today to $250 at ATMs and $1,000 in purchases per day in the United States," Chase states. "We may continue to change these limits if we think it makes sense, so please check chase.com for updates."
Consumers also have filed a series of class action lawsuits seeking millions in damages from the Minneapolis-based retailer, according to published reports.
Also, attorneys general in Connecticut, Iowa, Massachusetts, New York and South Dakota so far have requested Target provide more information about the breach. On Dec. 19, New York Attorney General Eric Schneiderman also requested that Target provide one year of free credit monitoring to all impacted New York residents.
Target notes on its breach FAQ page, which is constantly being updated, that it is offering free credit monitoring to anyone impacted. "We are in the process of establishing the service and will be reaching out to guests in the coming weeks with more information," Target says.
Lots of AttentionShirley Inscoe, a financial fraud analyst with the consultancy Aite, says Target's breach is getting more attention than previous retailer breaches.
"When the TJX breach occurred just a few short years ago, I don't recall consumers filing class action suits against the company, nor were state attorneys general as knowledgeable or as litigious as they are today," Inscoe says.
"It certainly shows how quickly society's outrage over these data breaches is growing, and that consumers, and state AGs, are more proactive and litigious than in the past," she adds. "Surely companies will realize it is preferable to be more proactive in addressing security gaps going forward than to incur all the fallout and negativity associated with a breach."
Communication EffortsTarget has continued to issue statements and updates on its website and Facebook page about the breach. The retailer has directly contacted its REDCard accountholders, telling them that Target will provide free credit monitoring and cover any fraudulent charges linked the breach that are not covered by their banking institutions.
In its most recent statement, Target says it has invited state attorneys general to participate in a call with the company's general counsel, "to help bring them up to date on the data breach that has impacted Target and our guests."
Target also says its call center continues to get a high volume of inquiries, so it has doubled the number of team members staffing the center to meet the demand.
"We have communicated to 17 million guests via e-mail and reminded them that unless they have seen fraudulent activity on their account, there is no urgent need to call," Target notes in its Dec. 23 statement. "We also continue to push tips to our guests via social media."
The retailer also has provided instructions on its site for REDcard accountholders to set up automated alerts for each transaction conducted with their cards.
Target's OutreachSome breach response experts say Target, under the leadership of Steinhafel, the CEO, is doing a good job with post-breach communication.
Andrew Walls, a social media expert who's an analyst at the consultancy Gartner, says Target's communications with consumers have been appropriate and highlight the need for more organizations to bake social media policies into their incident response and disaster recovery strategies.
"This is just about communications at the end of the day," he says. "It's important to have one policy that applies to all communications, whether it's a phone call, a tweet, a Facebook post or an e-mail. Most organizations are too focused on the technology, and not the message."
Al Pascual, an analyst with consultancy Javelin Strategy & Research, says Target's response has been exemplary.
"Target has been quite forthcoming, which is a benefit to them, their customers, and affected issuers," he says. "Advising the public of the breach and the type of information compromised so immediately after the event occurred allowed consumers and issuers to act quickly. While the forensic investigation is ongoing, the release of details surrounding the breach likely depends on whether or not any of these lawsuits make their way to court."
Cyber-security attorney David Navetta, a partner at the Information Law Group, says the Target incident will raise breach awareness.
"People often think of hacking situations online or losing your credit card information at e-commerce sites," he says. "But now, here we have a situation where people are physically going into the store, using their card ... and their data is being taken."
And Alan E. Brill, senior managing director of risk mitigation firm Kroll Advisory Solutions, says the Target breach will serve as a wakeup call for others, especially when it comes to the need for cyber-insurance.
"With the changes in the types of coverage available and the increasing sophistication of the insurance industry, periodic re-evaluations of cyber-insurance is just good business," he says.
"It's vital for organizations to [determine] if the same kind of attack could happen to them, and what steps they can take to mitigate the risk," Brill adds. "It could be anything from a high-tech attack on the POS system to some action by an insider. But whatever it is, everyone has to say: 'What could I do to not have this happen to me?'"