Target Admits Data Breach May Have Up To 110 Million Victims 213
Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."
Re: Good excuse (Score:3, Informative)
Er this isn't about their super bonus target credit card plus or whatever they call it. This is a database they created of everyone who shopped at target and used any form of credit card. You could just have easily ended up on the list by using a bank issued debit card.
Re:Good excuse (Score:2, Informative)
I don't think you understand. This is pretty much every single credit card used at Target or on target.com over the past few months or year. Or years. They are probably still lying about how many numbers. What pisses me off is that now they've lost names, addresses and a lot of PII data. Fucking Wall Street assholes who don't take security seriously need to be shot.
Re:I have to get better sources apparently... (Score:5, Informative)
They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.
The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.
We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.
Re:Target needs to be sued (Score:3, Informative)
Not sure how you figured that. Target has 1921 stores, and is generally open 14 hours per day for the holiday season (8am-10pm). 40 milllion spread across that and over 19 days comes to 1 transaction every 46 seconds
Awesome work with the math. But let me give you one tiny bit of info you might have missed. Did you realize Target is more than 1 store? Actually, 1921 stores to be exact. So that's (lets round up) 20823 per store. Spread over 19 days, that's 1096 per store per day. The stores are open probably closer to an average of 14 hours a day for the holiday season. So that's 78 per hour, or one transaction every 46 seconds. Somehow I think they can manage a bit more than that. Even if you factor in that not every transaction is a credit/debit transaction, I think it's still very believable.