Target Admits Data Breach May Have Up To 110 Million Victims

Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."

Wait.... What?!

[Lukano]

Target just managed to 'Oh... our bad, a bunch of other systems and avenues were also hacked.... well before the system(s) we're talking about now were hacked.....'... and this isn't a bigger deal?

Contradict me if I'm wrong, but are they not talking out of the side of their mouths to say that they'd been breached earlier, and only knew it now / only divulged it now?

Re:

[JoeMerchant]

Sounds right to me... if you want to go all conspiracy theory on it, they may have known about the earlier breaches which would have made them look really bad and engineered the last one as a sort of shock and awe pity PR move to cover their incompetence.

That's the whole country

[TrumpetPower!]

According to the Census Bureau [census.gov], there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place? But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.

Cheers,

b&

Re:

[rmdingler]

Well, there were significant breeches in the Canadian Targets, IIRC, so I suspect we're talking about multiple nationalities credit data.

Re:

[rueger]

You're right in suggesting that Canadians almost certainly also had their data stolen.

Aside from that, one correction. This story deals with security breaches.

These are Canadian breeches. [rcmp-grc.gc.ca]

Re:

[goodmanj]

Meh. Canada is, in this as in most other things, negligible. (Sorry, guys. You know I love you but there's just not enough of you to make a difference.) Target really just opened in Canada this year, and their retail sales there amount to less than 1% of their total business.

Re:

[rossdee]

Canadians have been know to come south to buy stuff eg Grand Forks and Fargo

Re:

[psithurism]

Snowden revelations

Hmm, have the stolen credit cards used or are they just sitting in a warehouse somewhere? Maybe the NSA is relevant to the current story?

I'm just asking questions!

Re:That's the whole country

[TheGratefulNet]

Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people.

I normally like and agree with your posts, but here you are pretty far off-base.

what snowden taught us is that the nsa is totally out of control and going WAY beyond their charter.

yes, that is information we did not have before and its powerful information.

Re:

[girlintraining]

I normally like and agree with your posts, but here you are pretty far off-base.

This just in: If somebody who you normally agree with disagrees with you, you should consider not reflexively assuming they're "pretty far off-base"... they may in fact have an equally valid position that simply isn't the same as yours.

I know everyone on slashdot wants to have Snowden's babies... but there are other opinions of him out there that are defensible. I don't think the NSA is out of control, I think Congress is.

Re:

[JoeMerchant]

I don't actually think the NSA was "off base" but I do think they were/are "out of control" - meaning: I don't necessarily disagree with what they did, but I do disagree with them doing it without the oversight and control that is supposed to be in place.

If the NSA was transparent with the American people about what they are doing, and the American people could get behind the idea that it is a necessary and good thing to protect their self interests, then I support them going forward and collect all the dat

Re:

[evilviper]

No, the Snowden leaks weren't any new information. If you think so, you're utterly ignorant of the world around you. EFF.org has a timeline of all the revelations, back to 2003.

I was stunned the leaks got the traction in the press that they did, when it was public knowedge already. The one good thing they accomplished was to un-stall the years-old EFF court case against the fed, since they couldn't claim state secrets, anymore.

Re:That's the whole country

[Jeremi]

Yes, let's just give up and go back to checks -- nobody ever committed fraud with those!

I like a reductio ad absurdum as much as the next guy, but I think a better response would be to forward to something more secure. I'm sure you or any other Slashdotter could think of something clever, but at the very least we could do what every other country does and put security chips in the credit cards. [wikipedia.org]

Re:

[TubeSteak]

I find it interesting that the wiki page on chip and pin vulnerabilities http://en.wikipedia.org/wiki/EMV#Vulnerabilities [wikipedia.org] only goes up to 2011
The last news report on security vulnerabilities in chip and pin schemes (that i can find) seems to be late 2012
http://www.nbcnews.com/id/49020916/ns/technology_and_science-security/t/criminals-crack-european-chip-and-pin-cash-card-security/ [nbcnews.com]

I found this quote to be the opposite of comforting

In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

"Denied refunds" seems to have been the main benefit from banks switching over

JFC

[rmdingler]

Are you kidding me.?.?. it's like a five-year-old lying about something he did, letting the truth slip out a little bit at a time.

They declined me ...

[TrollstonButterbeans]

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

Re:

[nwf]

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

If you write to them, I'm pretty sure they are required to tell you. Plus, you can get free copies of your credit reports as a result.

No loss, though. I had one of their CCs and their customer support was so amazingly inept that I cancelled out of frustration. I've never dealt with a CC company with such pathetic customer support. It makes me mad just thinking about it. I can only imagine how well they handled a massive amount of fraud on their cards. Good thing their support is in India or people would hav

Re:

[mysidia]

You'll get a letter in about 3-4 months saying something like "insufficient credit history". Because you need credit history to get credit

There's a circularity issue there. If you can't send in an application and get credit without credit history, then nobody should have credit....

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mysidia]

There are two types of credit cards: secured and unsecured.

The concept of a "secured" credit card, makes about as much sense as a mortgage loan requiring you to capitalize an extra 20% fee, and a 100% down payment of the principal being borrowed, in order to get the loan.

Good excuse

[bob_super]

My wife may finally understand why I want her to stop giving her data to a million different stores in exchange for a 5% discount or 500 bonus miles.

Re: Good excuse

[Anonymous Coward]

Er this isn't about their super bonus target credit card plus or whatever they call it. This is a database they created of everyone who shopped at target and used any form of credit card. You could just have easily ended up on the list by using a bank issued debit card.

Re:

[bob_super]

And the UK porn filter is used to quash file-sharing websites, and 9/11 was used to take down Saddam, and...

I'm an evil person, and "you can trust retailers' databases security" is hopefully not going to have a better illustration anytime soon.

At least I'm not conjuring "in this economy" or "think of the children", I'm just carefully wording the truth for her own good.
No oppressed majority will be enabled to regain power and team up with my enemies in the process.

Re:

[Anonymous Coward]

I don't think you understand. This is pretty much every single credit card used at Target or on target.com over the past few months or year. Or years. They are probably still lying about how many numbers. What pisses me off is that now they've lost names, addresses and a lot of PII data. Fucking Wall Street assholes who don't take security seriously need to be shot.

Re:

[Shados]

This probably isn't even anything to do with Wall Street assholes.

Are you a software developer? Or do you know some? Probably since you're on slashdot.

Did you or any of them come out of college with the aspiration: "I want to go work for Walmart, Target, or any number of high profile brick and mortar retail chain, its going to be awesome!!!" (Amazon obviously doesn't count).

No, you and they didn't. That shit is hard. Its a different kind of challenge, more around integration and dealing with a billion weird

Re:

[evilviper]

If the JC Penny breach didn't do it, why would this one? Was Target the epitome of safety and security in your eyes?

Bad Math?

[umdesch4]

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Re:

[nwf]

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Probably the people who wrote the obamacare web site.

Target is the new Kmart

[Osgeld]

Bunch of shit I dont want, one thing I do want they dont have, simple things like brasso

anyway, I bought 1 thing from target cause the reviews were high and it was the only place I could get it local, now I am tied up in this mess

between those two its going to be a cold day in hell before I step foot back in that store

ps where is this free credit monitoring they offered me almost 3 weeks ago?

Re:

[Kardos]

Go back to cash. There's no risk of identity theft with cash.

Re:

[Osgeld]

no just the risk of loosing cash on the way to or from the car with no chance in hell of ever getting it back

Re:

[evilviper]

I must reluctantly agree with you... There used to be several retailers out there where you could go and buy ANYTHING. Now, it seems they're dropping anything that isn't high enough margin, or a big enough seller. A few years ago I didn't go to Walmart for anything, ever. Then I fought with ridiculous parking to stop by Target, only to find that their 12 rows of shoes had one-half of one-isle dedicated to men, and almost entirely dress shoes.

Have you ever walked through an entire pet store and found tha

Not just December, not just Target

[Snotnose]

1) The breach was discovered in December, sounds like it's been going on for months. 2) I'd be very surprised if Target is the only entity that got breached. I keep waiting to hear "Oh, hey, 'member that Target thing? It's now a Walmart, Sears, TJ-Maxx, and Nordstroms thing".

Re:

[Z00L00K]

It's in that case every outlet in North America regardless of size.

Am I the only person who doesn't care anymore?

[rjejr]

About 20 years ago somebody behind me at a Detroit gas station had their tank of gas billed to my credit card. A few years ago Sony gave it all away. Next year I'm sure there will be another security breach. And the year after that. And the year after that. I shop in Target every week with my Target credit card, and I will continue to do so. They are going to get you one way or another. Or they aren't. Target obviously screwed up, their security was lax, their investigation is pathetic, their forth coming with the news leaves alot to be desired. But I'm not going to kill myself, cut up all my credit cards and start using cash, or leave the country. I don't blame people for not shopping there anymore, or switching to cash, but I just don't care anymore. This shit happens all the time, every day people have their identity stolens, it sucks, but it's part of everyday life now, no getting around it. Well suppose tehre's the Amish way, but thats just not for me.

Re:Am I the only person who doesn't care anymore?

[GodfatherofSoul]

I care, but I don't think there's anything I can do about it. Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change. Vendors are just going to roll the dice and hope nothing bad happens. I consider myself very caution and I've had 3 fraudulent uses of my card 3 times already (thankfully the bank didn't charge me).

Re:

[cascadingstylesheet]

Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change.

Because if the government "does something", there will magically be no economic tradeoffs?

Because the government has proven they are such security experts?

Re:

[0123456]

Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change.

Uh, what do credit cards have to do with the "free market"?

Hint: do you really, actually, think I can just set up a new credit card company tomorrow, without having to deal with a tsunami of government regulations around the world?

Re:

[Osgeld]

what the hell do you buy at target, overprice old canned goods, or shitty paper storage cubes, I have not found much of value at target even when they were not retarded

for fucks sake it took nearly 10 min to get a half warm shitty ass hot dog on a rock hard stale bun

incompetent on every single level

Re:

[evilviper]

Paying in cash is a far cry from killing yourself, or going Amish... In fact it's often more convenient than cards. Ever tried to split a bill between 10 people, all on their cards?

I could still have my identity stolen, you say? Well since I have no credit history at all, they won't get much use out of it.

There's a few ways ID theft could incovenience me, but far less than you're exposing yourself to, and will have far less impact on me.

Re:

[Shados]

Drop 10 credit cards on the table, tell the waiter to split the bill. Do that all the time.

Of course, in more civilized areas, restaurants give out individual checks, so its never a problem. It drives me bunker since I moved here that in most of the greater boston area they usually give 1 check per table...ugh.

Never would have guessed a Windows POS

[mc6809e]

Are they insane?

Re:Target needs to be sued

[Mashiki]

Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?

Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Re:

[beanpoppa]

I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.

Re:

[Fnord666]

I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.

I got one when they first came out. It even came with a card interface to hook it up to your computer. They were trying their own thing if I recall, not EMV. They had a lot of grand plans for it, but they never actually did anything with it.

Re:

[Mashiki]

RFID and Chip & Pin [wikipedia.org] are two different beasts. Chip & Pin is the same as smartcard chips, RFID hasn't really caught on in Canada either.

Re:

[Charliemopps]

They saved money by telling their customers that they were PCI compliant and they really weren't. Fraud.

Re:

[gweihir]

It is not a benefactor of the breach. But it is a benefactor of lowering investment into IT security far below what was reasonable. (Or it was rather. Not they are paying for that stupidity...)

the PCI compliance affidavit may be fraudulent

[raymorris]

Target execs signed sworn documents affirming that they were PCI compliant. Large companies have to do an audit of their PCI compliance so that they actually know if they are compliant or not. That statement of compliance saved them millions in extra processing fees (or allowed them to get processing at all).

IF those documents were false, that's lying for material gain aka fraud. We don't yet know if a) they were PCI compliant or b) they had the required audit and thought they were compliant. It appears l

Re:

[bloodhawk]

Stupidity does not equal fraud

Re:

[mysidia]

Stupidity does not equal fraud

No, but the above poster may be attempting to make an argument for shared guilt. That Target's negligence was so severe that it facilitated frauds which other actors will be committing, to the point of "aiding and abetting" the criminals who stole the numbers and other data and are in the process of hoc'ing them for fraudulent use.

Re:

[gl4ss]

well, ignoring the security standards actually is fraud.

that's the whole point...

Re:

[pcwhalen]

In the period of time between Black Friday and Dec. 17, when Target says this all went down, if they were open 12 hours a day, that's one card every 3 seconds.

Oh, wait. that was when they claimed it was 40 million names.

No way this was real time. Target must have been data mining.

Re:

[LordKronos]

Not sure how you figured that. Target has 1921 stores, and is generally open 14 hours per day for the holiday season (8am-10pm). 40 milllion spread across that and over 19 days comes to 1 transaction every 46 seconds
Awesome work with the math. But let me give you one tiny bit of info you might have missed. Did you realize Target is more than 1 store? Actually, 1921 stores to be exact. So that's (lets round up) 20823 per store. Spread over 19 days, that's 1096 per store per day. The stores are open probably

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[foniksonik]

And which Target do you go to where there's only one checkout line? I'll be sure to avoid that one.

Btw 6 min / 6 lanes = 1 min (keeping it easy for the math challenged).

The Targets I go to have at least 20 lanes plus several POS in electronics. That still seems like I'm under estimating.

Re:

[Mashiki]

Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.

That much is obvious, so again where is Target the benefactor in the said breech? Where did they *give* something that facilitated the theft of the data that contributed to fraud.

Re:

[Mashiki]

Only 5 years? Are you new to IT?

Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.

Re:

[stoploss]

Only 5 years? Are you new to IT?

Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.

I believe I read once that the chip & pin regime causes the burden of proof for fraud to fall on the account holder. As in "prove these charges on your account weren't you". Right now in the states, the burden of proof does not lie with the account holder, so if this reversal of liability with chip & pin is true then I would not consider chip & pin an "upgrade"/improvement.

Right now, I give not a fuck about credit card fraud because I am charged nothing if it happens (I'm only slightly inconveni

Re:

[Mashiki]

I believe I read once that the chip & pin regime causes the burden of proof for fraud to fall on the account holder.

Perhaps in the states, but in Canada and the rest of the world, my cardholder agreement(TD Canada Trust, CIBC, and Presidents Choice) openly states that the burden of proof falls on bank. This is doubly true with the new cards that are backed by visa, not only are you not held accountable under the protection of the fraud agreement on the card with that, but you're also not held accountable by the bank at all.

Re:Target needs to be sued

[Waffle Iron]

By the major credit card companies for gross negligence and conspiracy for fraud.

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

The only piece of sensitive info used during a credit card transaction should be a private key that stays inside in a tamper-resistant chip embedded inside my credit card. Everything else should be encrypted, and not even seen by parties such as waiters or Target.

Re:

[BringsApples]

Credit and debt go hand in hand. It's the American dream, in reality. You have a card where you are able to spend money that not only do you not have, but doesn't exist at all. Once enough people are in debt to that system, then money (debt) prints itself. It's the American dreamers that make this possible. Hell, the credit card companies don't even give a shit about theft anymore. They're doing to you, what you originally tried to do to them - have money that doesn't even exist. Except, for them, th

Re:Target needs to be sued

[beanpoppa]

Not sure why you think credit card companies don't care about fraud. They invest a lot in systems that study CC usage to flag transactions for possible fraud. In the last year, I've had 3 situations where a transaction has been declined until I contact the CC to verify that they are legitimate transactions. You might not feel that they do enough, but they certainly have an effort. There is just a point of diminishing returns where they've decided that it's not worth the extra effort to get fraud down below a certain level.

Re:Target needs to be sued

[BringsApples]

Well, point taken. But not long ago, a friend's card was stolen, so he cancelled it. The next month, he got a bill from the credit card company. It appeared that the thief went and filled up his gas-tank, as well as either a buddy's, or a boat or something, 3 Fridays in a row, same gas station, roughly same time of the day. The credit card company assured him that he wasn't expected to pay, and that they'd cancelled the card. next month, same thing, roughly same amount, roughly same time, same day (Friday) same gas station. Again he called, same response - "no worries". Next month, same thing. Finally he told them, "He look, this guy's going to be there next Friday at about [whatever time it was], why not just have the cops waiting? They basically told him that sometimes it takes a while before the gas station pumps are capable of registering that the card is bad/cancelled, and that there was no need to alert the police.

To me, this is an indicator that they don't care. I mean, that card was their property, and they knew that it was being used illegally, and yet they didn't want to get the police involved. I mean, it's not a shit-ton of money, maybe $400/month, but for 3 months? Of course, this may just be a 'bug' in their system, to do with gas tanks specifically, and maybe now that bug is fixed. But the people that he spoke with on the phone never had a doubt in their minds as to what to tell him. They never had to ask a manager, or anything like that. As though that type of thing happens a lot, and they knew how to 'handle' it.

Re:

[JLennox]

Have the police at the station asking to see the name on the credit card people are swiping?

I'm not sure we allow that, for good reason.

Re:

[BringsApples]

That wouldn't have been necessary. It looked like some person got off work (around 5pm), and went and filled up their vehicle, and a boat, or some other large-capacity vehicle.

And I'm not sure if you've ever noticed, but cashiers are supposed to match the name on your license with the name on whatever credit card you're purchasing with. What would be different here?

Agreed

[justthinkit]

Some time back I had an acquaintance of a friend abuse my credit card. Bought a round trip from Africa to England with my card. Thousands of dollars. I told the CC people I knew who did it and I wanted to prosecute the guy. They weren't interested and not a thing happened to this person.

Re:

[BringsApples]

Holy crap! Did you have to pay the bill, or did they just eat it?

Re:

[JoeMerchant]

Having the police stake out a gas station for several hours will cost more than the company is losing in theft.

If you really want to lose money, catch those two criminals, prosecute them and put them in jail for 5 years - now you've cost the taxpayers $1M+.

Re:

[JoeMerchant]

Fraud is a business, billions are made annually by people who protect, prosecute and defend against fraud.

If you suddenly cut fraud by 50%, lots of honest people would be hurt.

Re:

[nwf]

This is probably the only way it will happen. Well, more realistically congress will pass a law requiring some poorly thought-up "fixes" and after several iterations of failure, we'll end up with Europe does. You can't secure a completely insecure system with bandaids, duct tape and PCI (which is nothing more than a liability deferral instrument.) This is going to become more and more common. Frankly, I'm surprised we don't have a report like this every other month.

Bank routing number and account numbers pr

Re:

[Fnord666]

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

Exactly right. Until those responsible for designing/implementing the system are held liable for its failure, nothing is going to change. Unfortunately the CC companies have very deep pockets and can stash a lot of legislators in them so don't expect any legislative shift in liability any time soon. Any significant change will have to come from the Judicial branch through civil suits or from the people themselves.

I wonder what would happen if everyone cut up their credit cards and just started paying

Re:

[JoeMerchant]

I interviewed at a "secure credit card transaction software" company, they were struggling to find competent programmers, no surprise since they pay their top guy 1/2 of what I make as a medical device software engineer. I doubt they are all such shoe-string operations, but as it is, they struggle to do things like validate billing zip codes. Have you ever miskeyed your zip code at a POS? I have a few times, sometimes it rejects the transaction, sometimes not.

Upgrade of the infrastructure to work on secu

Re:

[Waffle Iron]

Who cares? Its the bank's money not mine. I don't know of a single person that has been held liable for the insecurity of credit cards.

Fixing the problem involves time and stress on the part of the customer. Time and stress are money to me.

I would NEVER trust the security or lack thereof in a credit card. The number is also in plaintext on the easily reprogrammable magnetic stripe on the back.

The magnetic strip is just as idiotic as the embossed number. A non-idiotic system would only use tamper-resistent chips and encryption, as I originally stated. While probably not impossible to hack, it would be orders of magnitude harder than current US cards. More importantly, two-bit merchants like Target would no longer be able siphon of transaction-enabling cleartext data throught their vulnerable s

Re:

[Artifakt]

Some 'tiny little portion' of my taxes were spent recently in bailing out some banks. Enough credit card fraud, and I'm totally confident the 'too big to fail' bunch will be back at the public trough asking for more of my taxes soon. At least a good chunk of the money these banks are risking now is tax money they got in the bailout, not their own money. It doesn't matter if I trust the card system, or even have a credit card at all. So, do you pay taxes? If so, why don't you care?

Re:

[EvilSS]

PCI compliance is involved, so no lawsuit is required. The PCI fines (levied by the PCI Scurity Standards Council, and Target is contractually obligated to pay) are $90 per account. Do the math on that for a second.

Now I'm sure there will be some negotiating going on but still, it's probably going to be a really big check they end up writing.

Re:

[Z00L00K]

The CC companies are equally guilty - they should remove the magnetic strip and at least use an already implemented technical solution with chips on the cards.

target messes with there employees and does not OT

[Joe_Dragon]

target messes with there employees and does not pay OT

http://www.huffingtonpost.com/2011/10/17/target-manager-fired-lunch-break_n_1016100.html [huffingtonpost.com]

Re:

[nwf]

If they are paying their IT staff $10/hr, then I'd expect nothing less. However, I doubt that. The IT staff are probably mostly salaried, which means no OT.

Re:

[desertfool]

Or they outsourced....

Re:

[Mr. Shotgun]

Or they outsourced....

You may be joking, but after the initial story broke I did look at their career website to see if they had an opening for a information security position (for the lulz) and noticed most of their IT positions were based in India. Since then they seemed to have reduced the amount of IT positions based out of India, maybe because of this, maybe they filled them. But still seems kinda odd.

H1-B city

[swb]

Walk through the lobby of the office tower at City Center where Target has offices and its H1-B city. They are, like most corporations, looking to cut IT costs as much as possible and hire legions of H1-Bs.

It wouldn't surprise me at all if the volume of H1-Bs doesn't lead to a management arrogance towards IT staff that extends to native-born IT workers which I'm sure would do plenty create the kind of grievance which would help motivate an insider to participate in this kind of fraud.

Re:

[mysidia]

If it was exposed to the internet, someone went out of their way to be stupid or to steal.

Must apply Hanlon's razor here. Someone probably did something stupid. Without evidence to the contrary; it could just as easily be a UIT (Unintentional Insider Threat), as an Intended Insider Attack.

Re:

[bloodhawk]

that isn't actually a lot of data size wise, especially if stolen over a period of time, and no it would be unusual to spot it leaving the network. The data has to be properly secured, trying to detect data leaving your network would be a near impossible task. Don't get me wrong Target have majorly fucked up but your expectations of where this should have been detected are dead wrong.

Re:

[nwf]

That's a lot of data, though....

It's bet it's less than 1% of what traverses their network every day. If they are using hadoop for marketing purposes, I'd guess all the CC information for every account in the US is a drop in the bucket in comparison. I'd further bet it compresses well, as does most text, making it the size of a few nice digital pictures of cats.

Re:

[bloodhawk]

That's a lot of data, though....

In data warehouse terms it isn't actually a lot of data at all. I would imagine their data storage would be in the multi petabyte range. a couple of hundred gig could traverse the network in a very short period of time and not even register as an unusually large amount of data.

Re:

[DarkOx]

There is absolutely no reason to take CC data out of the transaction system and put in the data mart. None, I helped build a activity based costing system for a major retailer you create a surrogate customer id, and your store the tender type. Ids/ips sensors should spot pii and cc info leaving the PCI world in bulk going anywhere unexpected, even if it's not much data in terms of network traffic.

If the environment is properly secured and instramented ex filtration should be detected

Re:

[Osgeld]

our company produces multiple millions of units of product a year, taking way more information per unit than a credit card transaction

in the 3 years I have been there we have generated 20 gig-bytes of pure plain ascii text

get a clue

Re:

[queazocotal]

Name, CC number and details, ...
This will - minimally at least - compress to about 100 bytes per record.

5 or 10GB is not a lot of data any more.

100 million CCs = 800 MB = 10 seconds of data

[raymorris]

A credit card number in a decent database is 8 bytes.
Therefore, 100 million CC numbers is 800 million bytes.
That's 800 MB, which is the amount of data a gigabit Ethernet can transfer in 10 seconds.

With the name on the card, and such, it's a few GBs. Maybe one minute of data transfer or thereabouts.

If it took the thieves a few hours to download over a slow connection, that would have been less than 1% of Target's traffic during that time period.

Re:

[pcwhalen]

Web site overdue for an update? Guilty. On my to do list for years [and probably years from now].

Krebs On Security [http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/] says Target was informed of the breach by Visa and Master Card. Target wouldn't have caught it as soon as they did unless they were told.

Negligent? Er, uh, yup.

But banks and credit card companies don't sue vendors, their customers. If they did, they would lose customers. Thus, they eat the losses.

It's the person

Re:

[Hamsterdan]

"It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs."

Right on. I've had a 200$ fraud in my account just before the holidays. Royal Bank Of Canada can't access the ATM cameras (they tell me it's not one of theirs). Their argument is since they can't prove it was somebody else using the card, *I* have to eat the losses. Great, and all that time I thought people were innocent until proven guilty in that count

Re:

[SOOPRcow]

To play devils advocate the person whom you are accusing of fraudulently making charges on to your account is innocent until it can be proven that they are guilty. You're reporting a crime; you're not being accused of a crime and thus the state of your guilt is not in question. A more "appropriate" statement would be "I thought the customer was always right". However, I think we both know that isn't always true either :/

Re:I have to get better sources apparently...

[Anonymous Coward]

They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.

The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.

We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.

Re:

[Z00L00K]

In a proper solution the dealer like Target shall not even have access to the unencrypted identification data, that shall be passed between the terminal and the bank or payment handler encrypted and the dealer shall only need to get "approved" or "denied" back for the request.

In addition to this - magnetic stripes are obsolete, they were introduced during the 70's. Modern cards has a chip which is harder to duplicate. Not impossible, but a lot harder. Almost all terminals in Europe handles chips, and all ma

not mag stripe data

[dutchwhizzman]

They got full data, much more than was on the mag stripes. The whole database of customers including their address data and all that has been stolen. Mag stripes don't hold all the information described here so there must be a database that has been broken in to.

Re:

[Joce640k]

The PINs were supposedly encrypted with 3DES (which isn't exactly robust)

Stop repeating those crappy news sites. There's nothing wrong with 3DES.

DES is one of the few cyphers which has never shown a weakness in the algorithm. Yes, it has a small key size, hence 3DES. The only real reason not to use it is software performance (DES was designed for hardware implementation, not software).

https://en.wikipedia.org/wiki/Data_Encryption_Standard#Replacement_algorithms [wikipedia.org]

Re:

[DarkOx]

That "encrypted with 3DES" thing has bothered me too, it does not make much sense unless they mean the filesystem the database is on or something. Otherwise how do you effectively cipher a 4 digit pin with 3DES?

Yes some databases can cipher tables, but that isn't really helpful against an online attack where the table is already unlocked.

Ideally you would store the ciphered values and the application layer would have the key, which leaves you with needing to make sure you select unique IVs for every PIN ot

Re:

[jeffb (2.718)]

And just too bad for the 360K people they employ, nearly none of whom could have known or done anything about this, right?

Re:

[mysidia]

if you let this kind of thing happen via lax security, your business should be halted, dissolved, and the proceeds divided between the affected people.

If it didn't happen to the Comodo certificate authority, who had signed a bunch of rogue SSL certificates: when their whole business model is to be a cert provider of reliable verified trust, then it won't happen to Target.