Target Has Major Credit Card Breach

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

don't connect everything to the internet!

[Nyder]

You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

Will they ever learn?

Re:don't connect everything to the internet!

[E-Rock]

It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

Re:don't connect everything to the internet!

[JWSmythe]

They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

Re:don't connect everything to the internet!

[rmdingler]

"Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

Inside job

[Spy+Handler]

Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

IT admins at Target are probably getting grilled by FBI as we speak.

Re:Chip and Pin

[Tanktalus]

Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

Our Target just installed new card readers

[NixieBunny]

The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

This must mean something, or not.

Re:upset employees?

[SpzToid]

Hello AC. It is extremely noticeable you have cited nothing to support your inflammatory anecdote.

Re:Wouldn't be surprised if Wal-Mart was...

[DaHat]

It wouldn't surprise me if /. user KrazyDave was behind the whole plot... and subsequently trying to plant false stories to divert attention.

I Stopped Shopping At Target

I went into a Target a couple years ago to buy a copy of GTA IV, and they insisted on scanning the barcode off the back of my driver's license. I refused to allow them to scan my driver's license, and they refused to sell me the game. (I'm 50 years old and with a grey beard, so it wasn't to be sure that I was old enough.) I haven't been into a Target since, so this story is no problem for me! :)