Many Americans spent some post-Thanksgiving quality time at Target stores, stocking up on everything from tree lights to cards to sweaters. And therein lies the problem: anyone who swiped a card at a Target store between Nov. 27 and Dec. 15, the busiest shopping time of the year, could potentially be a victim.
First uncovered by security researcher Brian Krebs and then confirmed by Target itself, the breach’s details are still emerging. It’s not totally clear how the heist was carried out, or if all US-based stores were affected, but the perpetrator(s) were able to lift “track data,” which enables the attackers to create (and sell) counterfeit cards. That makes the breach a bit more dramatic than if card data alone had been captured. And for many, it also offers some clues as to the attack vector.
Aaron Titus, CPO and general counsel at Identity Finder, a sensitive data management solution provider, explained the implications in an emailed comment. “Track data is extra sensitive data physically stored on a credit card magnetic stripe, in addition to the card number, expiration date and verification code,” he said. “Although skimmers (physical devices that steal track data from point-of-sale machines in stores) can collect track data, it is extremely unlikely that hackers could have installed skimmers in Target stores across the country. At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”
Eric Chiu, president & co-founder of HyTrust, said in an email that the breach was likely an inside job, stemming from a lack of access controls. “The Target breach, on the heels of Adobe, Vodafone, and Snowden is another wake up call to the new threats in a connected world,” he said. “POS systems run software and are connected to networks as well as transmit credit card data to central repositories in the data center. This is yet another example that companies need to take an inside-out model to security and make sure that access to critical systems and data is protected from the inside through fine-grained access controls, including the NSA's new 'two-man' rule as well as role-based monitoring. This is the only way to protect against insider threats, which are the number one cause of breaches.”
Gartner analyst Avivah Litan agreed on the insider angle. In a blog post, she said that she suspects data was stolen from Target’s switching system for authorization and settlement.
“If we’ve learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it’s that insiders can cause the most damage because some basic controls are not in place,” she wrote. “I wouldn’t be surprised if that’s the case with the Target Breach – i.e. that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.”
Target is a victim too, of course. Erik Bataller, principal security consultant at Neohapsis, told Infosecurity that according to current averages – about $200 per record – the 40 million cards could cost Target upwards of $8 billion or more in cleanup.
The kicker is that it is highly unlikely that Target skimped on security. As one of the largest big-box retailers in the business, the damage to its brand (and lost revenue) from something like this will have much bigger implications for its future viability than that initial $8 billion – a fact it was surely aware of in crafting security measures.
So, some had advice for Target, while others had sympathy. “Organizations that strictly follow PCI-DSS 2.0, and PCI-DSS 3.0 should be able to prevent most of these sorts of breaches, so I imagine Target has already begun the process of locking down, analyzing and securing their systems,” Identity Finder’s Titus said. “The first step to PCI-DSS 2.0 and 3.0 compliance is data sensitive data management through discovery and classification, which can help a company identify broken business processes and technology shortcomings.”
"Target has likely invested heavily in security, in technologies and approaches many would consider modern and right,” said Chris Petersen, LogRhythm CTO and co-founder, in a note to Infosecurity. “Unfortunately, todays threats are quickly outpacing current security technologies and approaches. What was recently modern and right, is quickly becoming outdated and ineffective."
He added, "Companies are in an arms race against determined foes, whether they be cyber criminals, hacktivists or nation states. Their only hope of defending themselves is to ensure their defenses are truly modern. In some cases, this might mandate running next-generation technologies in parallel with their legacy counterparts."