Breach could prove very costly for Target
Past major breaches cost TJX $250 million and Heartland $140 million; Target can expect similar costs, experts say
Computerworld - Though details of the massive data breach at Target are still emerging, it's already clear that, before the dust settles, the retailer will likely have to pay tens of millions of dollars in remediation and notification costs, fines, legal fees and settlements.
Target on Thursday confirmed a breach that let hackers access credit and debit card numbers, expiration dates and security codes of shoppers that bought merchandise in its stores between Nov. 27 and Dec. 15.
Target has not disclosed how many cards were impacted by the breach, though industry sources have reportedly pegged the number at 40 million. The total would make the breach the largest involving payment cards since a hack of payment processor Heartland in 2009 compromised upwards of 100 million cards.
Heartland has since paid some $140 million in costs related to the breach. Other victims of major breaches have spent similar sums settling with credit card companies, banks and customers.
Target has yet to disclose how the intrusion there occurred. Reports suggest that either hackers penetrated company's Point of Sale (POS) network or malware was somehow inserted into card swipe devices used by customers.
"It is possible that the track data was captured by some sort of network sniffer or other means farther up the payment chain that could have been outside of the store," said James Huguelet, an independent consultant who specializes in retail security. "Track data is often passed far beyond the POS, depending upon a company's specific payment processing architecture."
If the hackers did compromise the payment devices inside Target stores across the U.S., it would indicate the opening of a new front in the war on retailers, Huguelet said.
"It's entirely possible that the Target breach was not caused by a failure in the PINPads or POS systems in their stores. We'll need to get more information before we can really ascertain where in the payment chain the breach occurred," he said.
Avivah Litan, an analyst at Gartner, said it's possible that malware wasn't used to pull off the heist.
"The Heartland Payment Systems breach was not pulled off using malware," Litan said. One of the individuals convicted in that incident, a call center employee, was able to simply walk away with the data daily on a USB drive, he said.
"Target has spent a lot of money on payment card security so I doubt the criminals installed malware on their POS systems." If malware was used, "my guess is that [it] was on a corporate server communicating with the payment processors," Litan theorized.
In a statement, Target says it has identified and fixed the problem and is now working with a computer forensics firm to find the cause. The company said it hopes that the investigation finds new measures it can take to mitigate the risk of future breaches.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts