Breach could prove very costly for Target
Past major breaches cost TJX $250 million and Heartland $140 million; Target can expect similar costs, experts say
Computerworld - Though details of the massive data breach at Target are still emerging, it's already clear that, before the dust settles, the retailer will likely have to pay tens of millions of dollars in remediation and notification costs, fines, legal fees and settlements.
Target on Thursday confirmed a breach that let hackers access credit and debit card numbers, expiration dates and security codes of shoppers that bought merchandise in its stores between Nov. 27 and Dec. 15.
Target has not disclosed how many cards were impacted by the breach, though industry sources have reportedly pegged the number at 40 million. The total would make the breach the largest involving payment cards since a hack of payment processor Heartland in 2009 compromised upwards of 100 million cards.
Heartland has since paid some $140 million in costs related to the breach. Other victims of major breaches have spent similar sums settling with credit card companies, banks and customers.
Target has yet to disclose how the intrusion there occurred. Reports suggest that either hackers penetrated company's Point of Sale (POS) network or malware was somehow inserted into card swipe devices used by customers.
"It is possible that the track data was captured by some sort of network sniffer or other means farther up the payment chain that could have been outside of the store," said James Huguelet, an independent consultant who specializes in retail security. "Track data is often passed far beyond the POS, depending upon a company's specific payment processing architecture."
If the hackers did compromise the payment devices inside Target stores across the U.S., it would indicate the opening of a new front in the war on retailers, Huguelet said.
"It's entirely possible that the Target breach was not caused by a failure in the PINPads or POS systems in their stores. We'll need to get more information before we can really ascertain where in the payment chain the breach occurred," he said.
Avivah Litan, an analyst at Gartner, said it's possible that malware wasn't used to pull off the heist.
"The Heartland Payment Systems breach was not pulled off using malware," Litan said. One of the individuals convicted in that incident, a call center employee, was able to simply walk away with the data daily on a USB drive, he said.
"Target has spent a lot of money on payment card security so I doubt the criminals installed malware on their POS systems." If malware was used, "my guess is that [it] was on a corporate server communicating with the payment processors," Litan theorized.
In a statement, Target says it has identified and fixed the problem and is now working with a computer forensics firm to find the cause. The company said it hopes that the investigation finds new measures it can take to mitigate the risk of future breaches.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Cybercrime and Hacking White Papers | Webcasts