Breach goes from bad to worse for Target and its customers
Company now says data on up to 110 million customers exposed -- up from 40 million -- and that hackers accessed more data than previously thought
Computerworld - Target's acknowledgement Friday that personal data of 110 million people, not 40 million as previously thought, may have been exposed to hackers in a recent data breach raises new questions about the incident and how it could affect victims.
Target today said that an ongoing investigation of the data breach has revealed that "guest information" such as names, mailing addresses, phone numbers, and email addresses of customers may have been accessed by the same thieves who hacked into its systems last month.
Much of the exposed data is "partial in nature," the company said in a statement this morning. In cases where a customer email address is available, Target said it would attempt to contact affected individuals.
"We know that it is frustrating for our guests to learn that this information was taken and we are sorry they are having to endure this," said Target chairman and CEO Gregg Steinhafel in the statement.
Target in mid-December revealed that hackers had broke into its systems between Nov. 27 and Dec. 15 and accessed data on up to 40 million debit and credit cards. At the time, Target said that hackers gained access to cardholder names, credit or debit card numbers, card expiration dates and CVV security codes.
Target now says that its subsequent investigation found that data from 30 million more people was exposed. "This theft is not a new breach, but was uncovered as part of the ongoing investigation," the company said.
The update shows that the breach exposed data on about one third of the adult population of the United States, noted James Huguelet, and independent security consultant who specializes in retail security. "It now implies that consumers who shopped at Target outside of the approximately one month the breach was active have now become potentially affected by this breach," he said. Target's statement suggests that in some cases, only an individual's e-mail address might have been compromised, while in others, the mailing address might have been exposed. Huguelet said the "partial" exposure implies "that multiple systems containing different types of information were compromised [though] that's purely speculative at this point."
Hackers using the stolen information can now target victims with highly sophisticated spear-phishing attacks Huguelet warned.
"I can see a criminal being able to create a very effective attack with each e-mail sent having been customized to include the target's name, address, and phone number. This could very well lead to a massive wave of identity theft across the United States," he said.
Huguelet suggested that all Target customers accept the retailer's offer to provide free credit monitoring, though he added, "I'm surprised that Target is not making this available immediately." Attacks could already be underway and the credit monitoring may come too late for some victims, he said.
- Heartbleed bug can expose private server encryption keys
- FTC can sue companies hit with data breaches, court says
- 5-year-old hacks Xbox, now he's a Microsoft 'security researcher'
- State AGs probe Experian subsidiary's data breach
- NSA sniffing prompts Yahoo to encrypt traffic between its data centers
- Banks withdraw data breach claim against Target
- Bank abandons place in class-action suit against Target, Trustwave
- Banks' suit in Target breach a 'wake-up call' for companies hiring PCI auditors
- Gameover malware takes aim at Monster.com and CareerBuilder.com
- Security Manager's Journal: Stopping vendors from making us a Target
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts