Slashdot Mirror

← Back to Stories (view on slashdot.org)

Target Has Major Credit Card Breach

Posted by samzenpus on from the you're-the-target dept.

JoeyRox writes "Target experienced a system-wide breach of credit card numbers over the Black Friday holiday shopping season. What's unique about this massive breach is that it didn't involve compromising a centralized data center or website but instead represented a distributed attack at individual Target stores across the country. Investigators believe customer account numbers were lifted via software installed on card readers at checkout." Also at Slash BI.

7 of 191 comments (clear)

  1. don't connect everything to the internet! by Nyder · · Score: 5, Insightful

    You'd think people would figure out not to attach everything to the internet. Why the card readers needed to be connected to anything but an internal network (with no internet connection to that) is a bad security model to begin with.

    Will they ever learn?

    --
    Be seeing you...
    1. Re:don't connect everything to the internet! by E-Rock · · Score: 4, Insightful

      It's a shame that we probably won't get good details about what happened. If they're PCI compliant, those devices need to be on their own network away from the rest of the company machines. If they were actually doing that, I'd think that they could have caught this with some sort of egress filtering that would either block or alert when it saw CC information going out, or outbound connections from the CC system to unauthorized systems.

      Of course, my bet is an inside job. With the right people involved, you can bypass almost anything.

    2. Re:don't connect everything to the internet! by JWSmythe · · Score: 4, Insightful

      They don't need direct access. Actually, your CC data is suppose to be kept away from the Internet. That's what private circuits are for. In the case of a major retailer like Target, they should be doing all financial transfers over private circuits, with no Internet access.

      Someone may have decided it would be cheaper to share the circuit with Internet access. That was *very* dumb of them.

      --
      Serious? Seriousness is well above my pay grade.
    3. Re:don't connect everything to the internet! by rmdingler · · Score: 5, Insightful
      "Of course, my bet is an inside job. With the right people involved, you can bypass almost anything."

      Temp holiday hiring season combined with the traditionally busiest time of the year... the perfect storm for a well organized attack.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

  2. Inside job by Spy+Handler · · Score: 4, Insightful

    Extremely unlikely that something of this scale and magnitude could've been done without inside help. This is not like the guys who put a card skimmer on the gas pump at the corner gas station.

    IT admins at Target are probably getting grilled by FBI as we speak.

  3. Re:Chip and Pin by Tanktalus · · Score: 4, Insightful

    Why do you think chip and pin would be an update to security practices? We've had that discussion before. Multiple times. It's more security theatre, and I doubt that this attack would have been much more difficult to co-ordinate with chip/pin cards.

  4. Our Target just installed new card readers by NixieBunny · · Score: 3, Insightful
    The last time I went there, last week, the credit card reader machine was new. I don't know when it went in, as I hadn't been there for a month or two before that.

    This must mean something, or not.

    --
    The determined Real Programmer can write Fortran programs in any language.