20131218-Target

12/18/2013 – 40 million charge accounts may have been compromised. This was initially disclosed not by Target, but by a private researcher, Brian Krebs.

The original report

The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe.

more at http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

Target Acknowledges Unauthorized Access

Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

More at http://pressroom.target.com/news/target-confirms-unauthorized-access-to-payment-card-data-in-u-s-stores
and https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

A report by NY Times

Target is investigating a security breach involving stolen credit card and debit card information for millions of its customers, according to one person involved in the investigation.

The breach, which was first reported Wednesday by Brian Krebs, a security blogger, began the day after Thanksgiving, and may be continuing, … Though state notification laws differ, most states require that companies notify customers of a breach if their names are compromised in combination with other information like a credit card, Social Security number or driver’s license number. … But states make exceptions for encrypted information. As long as companies scramble consumer information with basic encryption, the law does not require companies to tell customers about a breach.

much more at http://bits.blogs.nytimes.com/2013/12/18/target-looking-into-security-breach

Who may be selling Target’s Data

Tuesday 12/24/2013 Brian Krebs said he believed he had identified someone who was selling Target customers’ charge card information for as much as $100 a piece on a black market site.

more at http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/
and http://bits.blogs.nytimes.com/2013/12/24/who-is-selling-targets-data

PIN Compromise?

12/25/2013 Personal Identification Numbers (PINs) associated with debit cards used at Target may have been compromised. An exposed PIN (either unencrypted or one whose encryption had been broken) would allow crooks near-unfettered direct access to the consumer’s bank account and withdraw funds.

Target said some “encrypted data” was stolen, but declined to say if that included encrypted PINs. “We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date, We are very early in an ongoing forensic and criminal investigation.”

Encryption may stop amateur hackers but is unlikely to stop sophisticated cyber criminals who were able to infiltrate Target in the first place. Also, hackers may use a RAM scraper which captures the PINs while they are temporarily stored in memory.

See more http://www.reuters.com/article/2013/12/25/us-target-databreach-idUSBRE9BN0L220131225

12/27/2013 Target: PINs Compromised

Friday 12/27/2013 Target revises previous statements, confirms encrypted PINs were taken, but “remains confident that PIN numbers are safe and secure.” If they were indeed so safe, then why did two major banks, JPMorgan Chase and Santander Bank, place limits on customer purchases and withdrawals made with compromised cards even before the Friday announcement? The unprecedented action hindered last minute shoppers. About two million Chase debit cards compromised at Target are being replaced.

While credit cards carry considerable consumer protections debit cards are often a tap into consumer’s main money source, their checking account. If funds are stolen it could set off a series of NSF-checks which can carry their own fees both at the bank and the intended recipient and other fees. Waiting and watching the account might not be enough as some crooks are patient and may strike after the publicity is reduced. See the Consumer Reports article cited below.

Target Announcement
http://bits.blogs.nytimes.com/2013/12/27/targets-nightmare-goes-on-encrypted-pin-data-stolen/
Chase Replacing Debit Cards
https://www.chase.com/services/target-breach
Consumer Reports
http://www.consumerreports.org/cro/news/2013/12/chase-bank-debit-cards-at-risk-target-data-breach/index.htm

Size and Scope expanded 1/10/2014

Size: 40 million were reported compromised in the December 2013 breach. Friday 1/10/2014 that has risen to 70 million (see Krebs below) or 110 million (see NY Times below). Further, any Target customer, whether or not they used their cards during the holiday season, may have been exposed.

Scope: What was exposed has been expanded to include names, mailing addresses, phone number, email addresses, credit card numbers, debit card numbers, expiration dates and PIN numbers for debit cards.

Be aware: Target collects Social Security Numbers from those who apply for Target Red Cards, a form of debit card. There has been no specific announcement as to whether or not SSNs have been compromised.

Target is offering a year of no-charge credit monitoring service to compromised customers (see Target below).

70 Million exposed per
http://krebsonsecurity.com/2014/01/target-names-emails-phone-numbers-on-up-to-70-million-customers-stolen/

110 Million exposed per
http://www.nytimes.com/2014/01/11/business/target-breach-affected-70-million-customers.html

Target offers no-charge Credit Monitoring
https://corporate.target.com/discover/article/Target-to-offer-free-credit-monitoring-to-all-gues

1/12/2014 The Exploit (briefly)

The point-of-sale devices were infected with memory reading malware which captured the encrypted data while it was in plain text format. Even EMV data would be vulnerable to such an exploit.

Interviewed by CNBC, Target CEO Gregg Steinhafel confirmed that the attackers installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores.

http://www.cnbc.com/id/101329300 there is a video on that page

The malware was believed to be RAM scraper (underlining ours)

The sources who spoke to Reuters about the breaches said that investigators believe the attackers used … a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text, the sources said.

Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware.

The alerts, published in April and August, provided retailers with technical details on how the attacks were launched and advice on thwarting them.

http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112

1/12/2014 Target CEO defends 4-day wait to disclose

Since Target’s original announcement that up to 40 million customer credit and debit card accounts had been hacked, critics have questioned why it took the retailer four days to come clean on the data breach. Now, for the first time since the security breach was announced on Dec. 19, Target Chairman and CEO Gregg Steinhafel is speaking out. While four days may seem like a long time for consumers to learn their sensitive account information was at risk, Steinhafel argued that it was lightning speed from Target’s perspective. CNBC story & video

1/13/2014 Apply for Credit Monitoring by 4/23/2014

Target contracted with Experian for their ProtectMyID product which retails for about $160 a year.

Click link below for how to sign up.
https://corporate.target.com/discover/article/free-credit-monitoring-and-identity-theft-protecti
See also
http://dealbook.nytimes.com/2014/01/13/targets-woes-may-be-a-boon-for-security-firms

1/15/2014 The Exploit (More Detail)

Security researcher Brian Krebs put together a more detailed description of the exploit used against Target. This malware has been used in previous intrusions dating back to at least June 2013.

http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

An earlier version called BlackPOS affected charge cards issued by multiple banks including Chase, Capital One, Citibank, Union Bank of California and Nordstrom Bank. More on BlackPOS

1/16/2014 McAfee Labs

McAfee Laboratories analyzed the Target exploit.

Although there is no official confirmation, we have credible evidence to indicate that the malware used in the Target stores attack is related to existing malware kits sold in underground forums.

Much more
http://blogs.mcafee.com/mcafee-labs/analyzing-the-target-point-of-sale-malware
 
See also
Threat Advisory: Electronic Point of Sale (EPOS) Data Theft
http://kc.mcafee.com/corporate/index?page=content&id=PD24927

1/16/2014 The Exploit (More Details)

The data captured by malware that infected point-of-sale devices, stored, then transmitted. Underlining in below quotes are ours

First, the malware that infected Target’s checkout counters (PoS) extracted credit numbers and sensitive personal details. Then, after staying undetected for 6 days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network.

Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBS of stolen sensitive customer information.

http://www.seculert.com/blog/2014/01/pos-malware-targeted-target.html
URL above also includes screenshots of the ftp and PoS server logs

The malware was not detectable by any antivirus product.

These two … scan results from Jan. 16 (today) show that even to this day not a single antivirus product on the market detects these two malicious files used in the Target attack.

http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/
URL above has much more on the exploit.

1/17/2014 Time Line, Recap, Costs and more details

Excellent article by the New York Times includes these elements: The bold, underlining or italics are our emphasis.

… Target had no clue until the Secret Service alerted the company about two weeks before Christmas.

… Target’s system was particularly vulnerable to attack.

… The theft involved confidential credit and debit card data of as many as 40 million Target customers, and personal information, such as phone numbers and addresses, of as many as 70 million more.

… a consulting firm, estimates the total damage to banks and retailers could exceed $18 billion. Consumers could be liable for more than $4 billion in uncovered losses and other costs.

… The stolen data was then lifted and stored on an infected server inside Target, awaiting an order from the criminals. The coding was easily manipulated so that it could receive instructions from its handlers in real-time, changing at their command.

… Nearly a decade ago, Albert Gonzalez … was stealing credit card data from T. J. Maxx and Marshalls clothing chains in much the same way.

… Within two weeks, criminals had taken 11 gigabytes worth of Target’s customer data: less than the amount of memory on Apple’s iPad Mini, but enough to contain 40 million payment card records, encrypted PINs and 70 million records containing Target customers’ information.

… Nearly 70 lawsuits have already been filed against Target, many of them seeking class-action status.

The direct consumer liability of $4 billion is partly due to the lesser protections offered debit cards compared to credit cards.
 
The exploit malware was a refined memory scraper that read decrypted information inside the terminal where consumers swiped their cards and entered their personal identification numbers (PINs). This variant has been named Kaptoxa, Russian slang for potato, a word used by some criminals in reference to credit cards.

Highly recommended reading
http://www.nytimes.com/2014/01/18/business/a-sneaky-path-into-target-customers-wallets.html

Information on the TJX Companies, Inc. breach (includes TJMaxx and Marshall’s) may be found at
https://nc3.mobi/references/20070117-tjx/

1/20/2014 From Target

Beware scammers who are preying on victims of this card compromise. Target has multiple web sites you should consider the horse’s mouth for official communications and how to sign up for no-charge credit monitoring.

Official Communications
https://corporate.target.com/about/payment-card-issue

Credit Monitoring
https://creditmonitoring.target.com

1/29/2014 More Details

Security researcher Brian Krebs has gathered more information on how the Target breach occurred. The post starts with

An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.

As with many major disasters there wasn’t just one cause. It appears there were violations of PCI-DSS standards by leaving several default passwords unchanged in critical system applications. Three system elements were compromised. The Point-Of-Sale (POS) terminals (where the data was grabbed), by known malware; the Dump Server (where the data was temporarily stored), by unknown malware; and the exfiltration server (how the data got out) by known malware. 2 of 3 elements were compromised by known means.
 
The article has some excellent graphics including a sad one showing a frequency analysis of POS malware events. It only looks like it is getting worse.The Federal Bureau of Investigation wrote:

“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors,”

“We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.”

Source: 1/17/2014 unclassified Private Industry Notification from the FBI Cyber Division.
http://krebsonsecurity.com/2014/01/new-clues-in-the-target-breach

See the interactive report behind the frequency analysis
https://www.recordedfuture.com/live/sc/6xuuqUW5Vo8l

1/29/2014 Investor lawsuit

A Target Corp. investor filed suit in Minnesota federal court Wednesday, against the executives of the retailer holding them liable for damage caused by the holiday season data breach that saw hackers steal personal and financial information from tens of millions of customers. Shareholder Maureen Collier filed the suite with a complaint alleging that Target’s board and top executives harmed the company financially by failing to take adequate steps to prevent the cyberattack then by subsequently providing customers with incomplete and misleading information about the extent of the data theft. “The suit brings claims of breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control, and seeks monetary damages on behalf of the company from the 14 named officers and directors”.

1/30/2014 The ChewBacca ‘bot

Small retailers in 11 countries were targeted by cyber criminals who stole data on about 24 million transactions compromising some 49,000 cards using “ChewBacca”. The companies were in the United States, Russia, Canada and Australia.

Source:http://www.reuters.com/article/2014/01/30/us-retailers-cyberattack-idUSBREA0T21120140130

RSA security report on the ‘bot

In a recent investigation, RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems.

ChewBacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target systems that process credit cards, such as Point-of-Sale (POS) systems. The memory scanner dumps a copy of a process’s memory and searches it using simple regular expressions for card magnetic stripe data. If a card number is found, it is extracted and logged by the server.

RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection. The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.

Much more at https://blogs.rsa.com/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information/

02/04/2014 Senate Hearing

There was a hearing today at the Senate Judiciary Committee hearing on Privacy in the Digital Age where Target and Neiman Marcus executives spoke. The Chairman, Senator Patrick J. Leahy of Vermont said:

“If consumers cannot trust businesses to keep their data secure our economic recovery is going to falter.”

Source for the quote and more see
http://www.nytimes.com/2014/02/05/business/target-to-speed-adoption-of-european-anti-fraud-technology.html

2/05/2014 HVAC access

Hackers who broke into Target’s computer network and stole customers’ financial and personal data used credentials allegedly were stolen from a heating and air conditioning subcontractor in Pennsylvania, according to digital security journalist Brian Krebs. It appears as though the air conditioning company was given access to Target’s computer network in order for the vendor to make remote changes to the system to cut heating and cooling costs. The breach started with a malware-laced email phishing attack sent to employees at the HVAC contractor Fazio Mechanical in Sharpsburg Pennsylvania. According to Krebs on Security: “multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.”

2/06/2014 EMV Fast Track

Target Corporation announced they are fast tracking new credit card security technology in their stores, 6 months earlier than originally planned. Target’s CFO announced it is moving up its goal to utilize chip-enabled smart cards, and now plans to have them in stores by early 2015. These cards encrypt point of sale data, rendering the credit card number less useful if stolen. Currently this technology is more prevalent outside of the US, but have resulted in lower card number thefts in other countries, notably Canada and the United Kingdom. EMV is no magic bullet.

2/25/2014 Replacement Card Backlog

The companies that actually issue replacement cards have a backlog due to the Target breach. How big a backlog?

I recently spoke with a gentleman who heads up security at a small federal credit union, and this individual said his institution ended up printing their own cards in-house after being told by their financial services provider that their order for some 2,000 new customer cards compromised in the Target breach would have to get behind a backlog of more than 2 million existing orders from other banks. [More at Krebs  Highlighting ours – ed]

4/30/2014 Target Plans to Issue Chip-and-PIN Cards

Target announced on Tuesday [4/29/2014]that it would switch its debit and credit cards over to a more secure technology by early next year … called chip and PIN, is widely used in Europe and considered to be far more secure than most cards used in the United States, which rely on magnetic strips. While it does not address all fraud, the chip makes a card hard to duplicate, and the pin, or personal identification number, more difficult for a thief to use. … “The move toward chip and PIN had been a very slow process in the United States because so many players have to restructure everything,” said Suzanne Martindale, a staff lawyer at Consumers Union. “We’re hoping that Target moving in this direction will encourage other retailers and financial institutions to create more secure payment cards, because it’s long overdue.” … Experts stress, however, that these cards would not have necessarily helped those whose data was stolen in the Target breach. 4/30/2014 NYT Article

[ bolding ours – ed ]

5/05/2014 CEO resigns

Target’s CEO has resigned in the wake of the data breach over the holiday season. He is claiming the breach was his fault. Earlier in 2014 the Chief Technology Office resigned. The current CFO of the company will take over as the interim CEO.

8/07/2014 Costs

Target has announced that the data breach will cost it’s shareholders $148 million.

12/04/2014 Judge Rules Target can be sued

The ruling makes it easier for banks (charge card providers) to sue merchants with poor security. The district court memorandum and order is easily readable.

The article from Ars Technica.

The United States District Court, District of Minnesota Memorandum and Order in MDL No. 14-2522 (PAM/JJK) (16 page PDF)

The amended class action filing in The United States District Court, District of Minnesota case 0:14-md-02522-PAM Document 258 Filed 12/01/14 (126 page PDF)

2/25/2015 Target says breach cost $162M

This does not include costs paid by affected consumers or the result from class action lawsuits (see 12/4/2014 above). Nor does it include any losses due to its tarnished reputation. (more … and Target reports Fourth Quarter and Full-Year 2014 Earnings)

3/18/2015 Target proposes to pay $10M to victims

While the proposed settlement requires approval by a federal district court judge it could pay victims up to $10,000 in damages. (source) $10M / ($10k/victim) implies a maximum of 1,000 victims at the maximum payout. As reported 2/25/2015 Target reported the breach cost them $162M. There were 40 million charge accounts compromised so the proposed payout is an average of ( $10M / 40M victims ) $0.25/victim or a quarter each! That is about half the price of a stamp. Outraged? Surprised?

3/19/2015 Update

Preliminary approval was given to the proposed settlement. One rationale for the total being low is that Target reported “low levels” of actual damage to exposed accounts. To make any claim a victim must prove “ … among other things, that unauthorized charges were made to their credit cards. They must also show that they invested time in addressing the fraudulent charges and incurred costs from correcting their credit report because of higher interest rates or fees, from replacing driver’s licenses or other forms of identification, or from hiring identity protection companies or lawyers.” (source) The judge set a final hearing on the settlement for 11/10/2015 as potential claimants have time to object to the settlement.

8/18/2015 Update  Target settles with providers, sorta

Visa: Reportedly reach an agreement with Target Corp to receive up to $67 million in costs related late 2013 breach. Mastercard: A proposed settlement for receiving $19 million didn’t happen because less than 90% of the Mastercard issuing banks accepted the deal. Sticking Points: The “optional alternative recovery offer” would require providers to release Target from a class action lawsuit. Both settlements were crafted in private without public scrutiny and apparently “… without involvement of the court or court-appointed legal representatives of financial institutions …”. One lawyer criticized the Visa agreement as insufficient reimbursement for “substantial losses” reportedly in excess of one billion dollars. (Source: Reuters via NY Times)

9/21/2015 Update  The first Security Report

The breach was reported 12/18/2013 and a security investigation by Verizon was started just three days later. Completed by March 1, 2014 the report found “no controls limiting their access to any system, including devices within stores such as point of sale (POS) registers and servers.” In an incredible example of the dangers inherent to the “internet of things” inside multiple stores, the investigators “were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.” The deli scale wasn’t the only way toward compromise. Internal passwords were weak with investigators cracking 472,308, or 86%, of passwords. Much more at KrebsOnSecurity

[ Q: How did Target pass its Payment Cards Industry Data Security Standard (PCI-DSS) certification examination? Quoting Target Chairman, President, and Chief Executive Officer Gregg Steinhafel “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.” -ed ]

12/03/2015 Update  Target settles a class action

Banks in a class action lawsuit against Target settled for $39 million. Those banks included Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union, and First Federal Savings of Lorain. More at CNNMoney

 
 

On releasing bad news on Friday

http://politicaldictionary.com/words/friday-news-dump/
http://www.slate.com/articles/business/moneybox/2004/09/friday_night_blights.html

 
 

Return to 2013 details page
Year links page
Return to References page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.