Richi Jennings

Retailers are a huge target for data thieves

January 13, 2014 6:05 AM EST

Retailers are a huge target for data thieves.
Target loses again.

U.S. retailers Target (NYSE:TGT) and Neiman Marcus have revealed that sensitive credit card and other personal information has been stolen by a gang of "cyber-criminals" that could affect as many as 110 million people. A number which happens to equal one-third of the population of the United States.

But the fun and wargames don't stop there, hack announcements from other retailers are expected to impact any minute now. Explosive as a 20 megaton warhead, the news is alarming consumers, with DEFCON levels escalated by angry Congressmen and bloggers alike.

In IT Blogwatch, bloggers stoically monitor their server logs and bank balances.

Your humble blogwatcher curated these bloggy bits for your entertainment, ably assisted by Stephen Glasskeys.

 
This game is no joking matter, argues Jaikumar Vijayan:

Target's acknowledgement Friday that personal data of 110 million people, not 40 million as previously thought, may have been exposed to hackers in a recent data breach raises new questions about the incident and how it could affect victims.
...
Target in mid-December revealed that hackers had broke into its systems...and accessed data on up to 40 million debit and credit cards. Target said [hackers accessed] cardholder names...[numbers, expiration dates and CVV codes].
...
Target now says that its subsequent investigation found that...30 million more people was exposed. "This theft is not a new breach, but was uncovered as part of the ongoing investigation," the company said.
...
The update shows that the breach exposed data on about one third of the adult population of the United States, noted James Huguelet, and independent security consultant who specializes in retail security.  MORE


 
But Brian Krebs advances to the next level:

Responding to inquiries about a possible data breach...upscale retailer Neiman Marcus acknowledged...it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.
...
Earlier this week, I began hearing from sources [about] fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by [Neiman Marcus]. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase...was Neiman Marcus.
...
Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.
...
Neiman Marcus spokesperson Ginger Reeder said the company does not yet know the cause, size or duration of the breach, noting that these are details being sought by a third-party forensics firm which has yet to complete its investigation. But she said there is no evidence that shoppers who purchased from the company’s online stores were affected by this breach.  MORE


 
Then, James Niccolai takes the controls:

Neiman Marcus is notifying customers of a data breach after hackers stole merchant card information for an undisclosed number of shoppers.
...
The high-end retailer said it was working with the U.S. Secret Service and a forensics firm to investigate the theft, which it said it learned about in December from its merchant card processor.
...
"We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores," the company said via Twitter late Friday.  MORE


 
Straight from the unnamed horses mouth:

In mid-December, we learned criminals forced their way into our system, gaining access to guest credit and debit card information. The investigation has recently determined that certain guest information was taken. That included names, mailing addresses, email addresses or phone numbers. We have partnered with a leading third-party forensics firm who is thoroughly investigating the breach.
...
Target is extending our offer of one year of free credit monitoring and identity theft protection to all Target guests who shopped in our U.S. stores. We will be sharing more information about this offer next week.  MORE


 
Then Ms. Smith discloses Congressional data:

Target, Neiman Marcus and "at least three other well-known U.S. retailers" with "outlets in malls" were also hacked over the holiday shopping season. The hacks have certainly caught the attention of Congress.
...
Avivah Litan, a security analyst for Gartner research, said, "Target was not the only retailer who got hit, but they got hit the biggest." She was told about "a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator."
...
After the Target hack, Sen. Patrick Leahy, chairman of the Senate Judiciary Committee, reintroduced a bill that would make it a crime to cover up data breaches. ... The updated Personal Data Privacy and Security Act legislation would force businesses to disclose data breaches within two months after being discovered.  MORE


 
But according to Mike Lennon, the game is rigged:

According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.
...
[Sources] who spoke to Reuters, attackers used RAM scraper, or Memory parser malware to steal sensitive data from Target and other retail victims.
...
Visa issued alerts about attacks utilizing these types of malware in April 2013 and again in August 2013.
...
After gaining access to a merchant’s network, attackers can install memory-parsing malware on [cash registers or servers] to extract magnetic-stripe data as it moves through the through the payment process.   MORE


 
Meanwhile, Jim Finke and Mark Hosenball watch and keep score:

Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.
...
The sources said that they involved retailers with outlets in malls, but declined to elaborate. They also said that while they suspect the perpetrators may be the same as those who launched the Target attack, they cannot be sure because they are still trying to find the culprits behind all of the security breaches.  MORE


 

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.