Target Admits Data Breach May Have Up To 110 Million Victims

← Back to Stories (view on slashdot.org)

Target Admits Data Breach May Have Up To 110 Million Victims

Posted by timothy on Friday January 10, 2014 @01:39PM from the ok-this-time-try-20-percent-off dept.

Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."

144 of 213 comments (clear)

Min score:

Reason:

Sort:

Target needs to be sued by Anonymous Coward · 2014-01-10 13:48 · Score: 1

By the major credit card companies for gross negligence and conspiracy for fraud.
1. Re:Target needs to be sued by Mashiki · 2014-01-10 14:05 · Score: 3, Insightful
  
  Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?
  Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.
  
  --
  Om, nomnomnom...
2. Re:Target needs to be sued by Waffle+Iron · 2014-01-10 14:19 · Score: 5, Insightful
  
  By the major credit card companies for gross negligence and conspiracy for fraud.
  No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.
  The only piece of sensitive info used during a credit card transaction should be a private key that stays inside in a tamper-resistant chip embedded inside my credit card. Everything else should be encrypted, and not even seen by parties such as waiters or Target.
3. Re:Target needs to be sued by bloodhawk · 2014-01-10 14:23 · Score: 1
  
  Stupidity does not equal fraud
4. Re:Target needs to be sued by pcwhalen · 2014-01-10 14:26 · Score: 3, Interesting
  
  In the period of time between Black Friday and Dec. 17, when Target says this all went down, if they were open 12 hours a day, that's one card every 3 seconds.
  Oh, wait. that was when they claimed it was 40 million names.
  No way this was real time. Target must have been data mining.
  
  --
  Pay no attention to the man behind the curtain with all your metadata.
5. Re:Target needs to be sued by Anonymous Coward · 2014-01-10 14:31 · Score: 1
  
  Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?
  Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.
  Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.
6. Re:Target needs to be sued by aviators99 · 2014-01-10 14:51 · Score: 1
  
  They don't need to be sued. Their merchant agreements make them liable for fraudulent charges and a fee for each card that has to be reissued. It will be in the billions, for sure.
7. Re:Target needs to be sued by LordKronos · 2014-01-10 15:00 · Score: 2, Informative
  
  Not sure how you figured that. Target has 1921 stores, and is generally open 14 hours per day for the holiday season (8am-10pm). 40 milllion spread across that and over 19 days comes to 1 transaction every 46 seconds
  Awesome work with the math. But let me give you one tiny bit of info you might have missed. Did you realize Target is more than 1 store? Actually, 1921 stores to be exact. So that's (lets round up) 20823 per store. Spread over 19 days, that's 1096 per store per day. The stores are open probably closer to an average of 14 hours a day for the holiday season. So that's 78 per hour, or one transaction every 46 seconds. Somehow I think they can manage a bit more than that. Even if you factor in that not every transaction is a credit/debit transaction, I think it's still very believable.
8. Re:Target needs to be sued by BringsApples · 2014-01-10 15:14 · Score: 1
  
  Credit and debt go hand in hand. It's the American dream, in reality. You have a card where you are able to spend money that not only do you not have, but doesn't exist at all. Once enough people are in debt to that system, then money (debt) prints itself. It's the American dreamers that make this possible. Hell, the credit card companies don't even give a shit about theft anymore. They're doing to you, what you originally tried to do to them - have money that doesn't even exist. Except, for them, there are legal benefits to being on their side of the game. And rather than money, they live/exist off of debt.
  
  Don't forget that all money that's printed, represents a debt. In this way, the credit card companies (basically the elite) live off of debt, not money.
  
  --
  Politics; n. : A religion whereby man is god.
9. Re:Target needs to be sued by nwf · 2014-01-10 15:14 · Score: 1
  
  This is probably the only way it will happen. Well, more realistically congress will pass a law requiring some poorly thought-up "fixes" and after several iterations of failure, we'll end up with Europe does. You can't secure a completely insecure system with bandaids, duct tape and PCI (which is nothing more than a liability deferral instrument.) This is going to become more and more common. Frankly, I'm surprised we don't have a report like this every other month.
  Bank routing number and account numbers printed on checks is even worse, though. Writing a check with an amount isn't much more secure than leaving the amount field blank.
  
  --
  I don't know, but it works for me.
10. Re:Target needs to be sued by Mashiki · 2014-01-10 15:19 · Score: 1
  
  Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.
  That much is obvious, so again where is Target the benefactor in the said breech? Where did they *give* something that facilitated the theft of the data that contributed to fraud.
  
  --
  Om, nomnomnom...
11. Re:Target needs to be sued by beanpoppa · 2014-01-10 15:20 · Score: 2
  
  I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.
12. Re:Target needs to be sued by Mashiki · 2014-01-10 15:23 · Score: 1
  
  Only 5 years? Are you new to IT?
  Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.
  
  --
  Om, nomnomnom...
13. Re:Target needs to be sued by beanpoppa · 2014-01-10 15:27 · Score: 4, Interesting
  
  Not sure why you think credit card companies don't care about fraud. They invest a lot in systems that study CC usage to flag transactions for possible fraud. In the last year, I've had 3 situations where a transaction has been declined until I contact the CC to verify that they are legitimate transactions. You might not feel that they do enough, but they certainly have an effort. There is just a point of diminishing returns where they've decided that it's not worth the extra effort to get fraud down below a certain level.
14. Re:Target needs to be sued by mysidia · 2014-01-10 16:32 · Score: 1
  
  Stupidity does not equal fraud
  No, but the above poster may be attempting to make an argument for shared guilt. That Target's negligence was so severe that it facilitated frauds which other actors will be committing, to the point of "aiding and abetting" the criminals who stole the numbers and other data and are in the process of hoc'ing them for fraudulent use.
15. Re:Target needs to be sued by BringsApples · 2014-01-10 16:44 · Score: 4, Interesting
  
  Well, point taken. But not long ago, a friend's card was stolen, so he cancelled it. The next month, he got a bill from the credit card company. It appeared that the thief went and filled up his gas-tank, as well as either a buddy's, or a boat or something, 3 Fridays in a row, same gas station, roughly same time of the day. The credit card company assured him that he wasn't expected to pay, and that they'd cancelled the card. next month, same thing, roughly same amount, roughly same time, same day (Friday) same gas station. Again he called, same response - "no worries". Next month, same thing. Finally he told them, "He look, this guy's going to be there next Friday at about [whatever time it was], why not just have the cops waiting? They basically told him that sometimes it takes a while before the gas station pumps are capable of registering that the card is bad/cancelled, and that there was no need to alert the police.
  
  To me, this is an indicator that they don't care. I mean, that card was their property, and they knew that it was being used illegally, and yet they didn't want to get the police involved. I mean, it's not a shit-ton of money, maybe $400/month, but for 3 months? Of course, this may just be a 'bug' in their system, to do with gas tanks specifically, and maybe now that bug is fixed. But the people that he spoke with on the phone never had a doubt in their minds as to what to tell him. They never had to ask a manager, or anything like that. As though that type of thing happens a lot, and they knew how to 'handle' it.
  
  --
  Politics; n. : A religion whereby man is god.
16. Re:Target needs to be sued by Waffle+Iron · 2014-01-10 16:50 · Score: 1
  
  Who cares? Its the bank's money not mine. I don't know of a single person that has been held liable for the insecurity of credit cards.
  Fixing the problem involves time and stress on the part of the customer. Time and stress are money to me.
  
  I would NEVER trust the security or lack thereof in a credit card. The number is also in plaintext on the easily reprogrammable magnetic stripe on the back.
  The magnetic strip is just as idiotic as the embossed number. A non-idiotic system would only use tamper-resistent chips and encryption, as I originally stated. While probably not impossible to hack, it would be orders of magnitude harder than current US cards. More importantly, two-bit merchants like Target would no longer be able siphon of transaction-enabling cleartext data throught their vulnerable systems.
  
  Its the credit card companies that have weighed the cost/benefit analysis on the security of credit cards not the individuals.
  Hence, as I mentioned, the need for them to get soundly sued by everyone who has been affected by this breach. The credit companies are in sore need of a major attitude adjustment.
17. Re:Target needs to be sued by EvilSS · 2014-01-10 17:12 · Score: 1
  
  PCI compliance is involved, so no lawsuit is required. The PCI fines (levied by the PCI Scurity Standards Council, and Target is contractually obligated to pay) are $90 per account. Do the math on that for a second.
  
  Now I'm sure there will be some negotiating going on but still, it's probably going to be a really big check they end up writing.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
18. Re:Target needs to be sued by Artifakt · 2014-01-10 17:28 · Score: 1
  
  Some 'tiny little portion' of my taxes were spent recently in bailing out some banks. Enough credit card fraud, and I'm totally confident the 'too big to fail' bunch will be back at the public trough asking for more of my taxes soon. At least a good chunk of the money these banks are risking now is tax money they got in the bailout, not their own money. It doesn't matter if I trust the card system, or even have a credit card at all. So, do you pay taxes? If so, why don't you care?
  
  --
  Who is John Cabal?
19. Re:Target needs to be sued by Charliemopps · 2014-01-10 17:34 · Score: 1
  
  They saved money by telling their customers that they were PCI compliant and they really weren't. Fraud.
20. Re:Target needs to be sued by The+Grim+Reefer · 2014-01-10 17:36 · Score: 1
  
  Stupidity does not equal fraud
  Unless it's Sony. We still hate them, right? ;-)
21. Re:Target needs to be sued by gweihir · 2014-01-10 17:44 · Score: 1
  
  It is not a benefactor of the breach. But it is a benefactor of lowering investment into IT security far below what was reasonable. (Or it was rather. Not they are paying for that stupidity...)
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
22. Re:Target needs to be sued by Fnord666 · 2014-01-10 17:53 · Score: 2
  
  I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.
  I got one when they first came out. It even came with a card interface to hook it up to your computer. They were trying their own thing if I recall, not EMV. They had a lot of grand plans for it, but they never actually did anything with it.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
23. Re:Target needs to be sued by JLennox · 2014-01-10 17:57 · Score: 1
  
  Have the police at the station asking to see the name on the credit card people are swiping?
  I'm not sure we allow that, for good reason.
24. Re:Target needs to be sued by Fnord666 · 2014-01-10 18:04 · Score: 1
  
  No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.
  Exactly right. Until those responsible for designing/implementing the system are held liable for its failure, nothing is going to change. Unfortunately the CC companies have very deep pockets and can stash a lot of legislators in them so don't expect any legislative shift in liability any time soon. Any significant change will have to come from the Judicial branch through civil suits or from the people themselves.
  I wonder what would happen if everyone cut up their credit cards and just started paying cash for things? Maybe we could start with a campaign to get people to pay cash on Tuesdays? Just one day a week to get things rolling.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
25. Re:Target needs to be sued by Z00L00K · 2014-01-10 18:44 · Score: 1
  
  The CC companies are equally guilty - they should remove the magnetic strip and at least use an already implemented technical solution with chips on the cards.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
26. Re:Target needs to be sued by DigiShaman · 2014-01-10 18:53 · Score: 1
  
  I won't debate the math on that, but from my own personal experience shopping at Target, each transaction takes about 3 minutes on average. Sometimes you have that person that's only buying one or two things; typically 1 minute from being greeted by the clerk to being handed the receipt and goods. Other times, I've been stuck behind someone with a cart of 30+ items. That person then proceeds to fumble paying with cash and putting the rest of credit cards. That lasted about 6 minutes.
  
  --
  Life is not for the lazy.
27. Re:Target needs to be sued by stoploss · 2014-01-10 19:17 · Score: 1
  
  Only 5 years? Are you new to IT?
  Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.
  I believe I read once that the chip & pin regime causes the burden of proof for fraud to fall on the account holder. As in "prove these charges on your account weren't you". Right now in the states, the burden of proof does not lie with the account holder, so if this reversal of liability with chip & pin is true then I would not consider chip & pin an "upgrade"/improvement.
  Right now, I give not a fuck about credit card fraud because I am charged nothing if it happens (I'm only slightly inconvenienced by having to wait for the issuance of a new card). If I am potentially liable for fraud when someone defeats the security of the chip & pin point of sale device, but I can't prove it, then no thanks.
28. Re:Target needs to be sued by Mashiki · 2014-01-10 20:27 · Score: 1
  
  RFID and Chip & Pin are two different beasts. Chip & Pin is the same as smartcard chips, RFID hasn't really caught on in Canada either.
  
  --
  Om, nomnomnom...
29. Re:Target needs to be sued by BringsApples · 2014-01-10 22:21 · Score: 1
  
  That wouldn't have been necessary. It looked like some person got off work (around 5pm), and went and filled up their vehicle, and a boat, or some other large-capacity vehicle.
  
  And I'm not sure if you've ever noticed, but cashiers are supposed to match the name on your license with the name on whatever credit card you're purchasing with. What would be different here?
  
  --
  Politics; n. : A religion whereby man is god.
30. Re:Target needs to be sued by gl4ss · 2014-01-10 23:00 · Score: 1
  
  well, ignoring the security standards actually is fraud.
  that's the whole point...
  
  --
  world was created 5 seconds before this post as it is.
31. Re:Target needs to be sued by Mashiki · 2014-01-11 00:02 · Score: 1
  
  I believe I read once that the chip & pin regime causes the burden of proof for fraud to fall on the account holder.
  
  Perhaps in the states, but in Canada and the rest of the world, my cardholder agreement(TD Canada Trust, CIBC, and Presidents Choice) openly states that the burden of proof falls on bank. This is doubly true with the new cards that are backed by visa, not only are you not held accountable under the protection of the fraud agreement on the card with that, but you're also not held accountable by the bank at all.
  
  --
  Om, nomnomnom...
32. Re:Target needs to be sued by foniksonik · 2014-01-11 02:40 · Score: 1
  
  And which Target do you go to where there's only one checkout line? I'll be sure to avoid that one.
  Btw 6 min / 6 lanes = 1 min (keeping it easy for the math challenged).
  The Targets I go to have at least 20 lanes plus several POS in electronics. That still seems like I'm under estimating.
  
  --
  A fool throws a stone into a well and a thousand sages can not remove it.
33. Re:Target needs to be sued by JoeMerchant · 2014-01-11 03:27 · Score: 1
  
  I interviewed at a "secure credit card transaction software" company, they were struggling to find competent programmers, no surprise since they pay their top guy 1/2 of what I make as a medical device software engineer. I doubt they are all such shoe-string operations, but as it is, they struggle to do things like validate billing zip codes. Have you ever miskeyed your zip code at a POS? I have a few times, sometimes it rejects the transaction, sometimes not.
  Upgrade of the infrastructure to work on secure keys kept in tamper _resistant_ chips on the cards, while entirely possible, even simple, from a technical perspective, would involve the creation of thousands of new jobs, and destruction of thousands more. it becomes a political issue, and is unlikely to move forward without national level political (legislative) backing / mandate. That will take time - decades, unless real harm comes to enough people who matter to the legislators. It doesn't help that the legislators can understand how the current system works, and probably don't understand how a secure key is actually better.
  The plastic number embossed on the card is a mimic of the routing and account numbers printed on the face of paper checks - it's an honor system, enforced by threat of criminal punishment. It's impressive how well it works with the massive international use of credit cards to transfer money.
  There have been scofflaws since the days of hanging pickpockets, and there will continue to be even after credit cards become more technically secure.
34. Re:Target needs to be sued by JoeMerchant · 2014-01-11 03:31 · Score: 1
  
  Fraud is a business, billions are made annually by people who protect, prosecute and defend against fraud.
  If you suddenly cut fraud by 50%, lots of honest people would be hurt.
35. Re:Target needs to be sued by JoeMerchant · 2014-01-11 03:33 · Score: 1
  
  Having the police stake out a gas station for several hours will cost more than the company is losing in theft.
  If you really want to lose money, catch those two criminals, prosecute them and put them in jail for 5 years - now you've cost the taxpayers $1M+.
36. Re:Target needs to be sued by Jawnn · 2014-01-11 05:31 · Score: 1
  
  The police have more important things to do than chase down credit card thieves, like chasing down mp3 and video pirates.
37. Re:Target needs to be sued by David_W · 2014-01-11 06:23 · Score: 1
  
  And I'm not sure if you've ever noticed, but cashiers are supposed to match the name on your license with the name on whatever credit card you're purchasing with. What would be different here?
  I'm pretty sure that's wrong. From what I've read, you "cannot" be required to show an ID when purchasing with a credit card, unless you haven't signed the back. This is the first link I found that seems to back that up.
38. Re:Target needs to be sued by BronsCon · 2014-01-11 07:18 · Score: 1
  
  They gave the gaping hole the data was sucked through.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
39. Re:Target needs to be sued by BronsCon · 2014-01-11 07:33 · Score: 1
  
  Unless there are more people fighting fraud than there are victims of it, cutting fraud by 50% would mean the number of people now *not* hurt by fraud outweighs the number of people hurt be reduced fraud. Unless you're also counting perpetrators of fraud as parties hurt by the reduction of fraud. Reducing the occurrence of literally anything hurts someone, somewhere, in some way; it's a balancing act to determine the level at which the benefit, overall, is maximized in relation to the damage done elsewhere. Stamping out fraud altogether would get more people using the cards in more places, for more transactions; the fraud investigators would simply find new roles, fraud victims would no longer exist, and the only ones "hurt" by this would be the fraudsters, who, in reality, would simply move on to some other scam; likely one where the victim has an opportunity to stop the fraud before it happens.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
40. Re:Target needs to be sued by JoeMerchant · 2014-01-11 07:49 · Score: 1
  
  Take a look around, what's the ratio of homeland security and related support personnel to actual terrorists?
  In the 1930's we could build parks and clean up highways to get people working...
  Fraud investigators, prosecution and defense attorneys, security firms, etc. don't want the disruption of having their life-long careers de-valued. They're honest, hardworking people, why should they be hurt? The defrauded are (mostly) made whole by the operation of the system, the "guilty" are punished - why should that change? /sarcasm
  1 million lawyers at the bottom of the ocean is only a good start, but I doubt I'll ever see the day we even put 100,000 lawyers out of work with a piece of legislation.
41. Re:Target needs to be sued by BronsCon · 2014-01-11 08:05 · Score: 1
  
  Not sure what homeland security and terrorism has to do with this, and your analogy doesn't even fit; rather than considering the ratio of good-guys to victims (as in the post you're replying to), you're considering the ratio of good-guys to bad-guys, which is a fallacy, at best, even if only because it's hard to call homeland security "good-guys". But, you did manage to follow up with a good bit of sarcasm, so, there's that.
  
  Have you not been following along? the guilty are rarely punished; just in these comments, alone, I can identify more than a handful of "I handed them the perp and they refused to prosecute" stories. If they don't bother with the ones that get handed to them, what makes you think they go after the ones they have to work for?
  
  Totally agree with that last bit about the lawyers, though.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
42. Re:Target needs to be sued by BronsCon · 2014-01-11 08:06 · Score: 1
  
  Oh christ... I totally acknowledged that the 3rd paragraph of GP was sarcasm, then proceeded to attack it anyway. I think I need to go back to sleep...
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
43. Re:Target needs to be sued by JoeMerchant · 2014-01-11 11:35 · Score: 1
  
  Yeah, I rarely use the /sarcasm tag, but it seemed necessary this time...
  What I'm saying is that there are large portions of society that are essentially parasitic, feeding off of conflict and misery that could be avoided, but rather than fix the root cause problem, they band-aid it and profit. They have entrenched interests and will rigorously oppose anything that might fix the root cause problems, because that would put them out of a living - and for the people who say they could do something else... think, after you've built a 20+ year career in a field, if that field is suddenly made irrelevant by a structural change to society that eliminates the problem you have been salving for decades, would you really want to start over as best you can in "a related industry" - alongside all your displaced comrades who are flooding the market? You might do better starting over with "you want fries with that?"
  So, in this case, sure credit card numbers could be harder to steal, but how many "honest, hardworking" people would that hurt? In a related topic, over half of credit defaults could be avoided by denying credit to the 1% least creditworthy applicants - but that will never happen because those are the people that banks make most of their profits from.
  To me, a huge root cause of this crony capitalism is the creation of laws by lawyers. If we passed a law today that any person who sits for a bar exam, in any state or country, from January 1, 2015 forward shall ever-after be barred from holding public office, federal, state or local, in any legislative or executive capacity (let them be Judges), and also barred from lobbying for legislative change in any capacity - it's not as complete or perfect a solution as taking them all out and killing them tomorrow, but, I'd wager that by 2115, we would have significant structural improvements in the laws, tax codes, and many other aspects of society that have been jury-rigged by the lawyers to serve their own self-interests. Call it juris-legislative separation - the modern extension of separation of church and state.
44. Re:Target needs to be sued by BronsCon · 2014-01-11 11:48 · Score: 1
  
  Save for your earlier flawed analogy... I find your ideas interesting and would like to subscribe to your newsletter. I don't think our views are too far in disagreement to be reconciled; we just have different means of expressing them.
  
  So, where to start lobbying for these new laws? I actually think we'd see changes in our own lifetimes, rather than your 100-year timeline.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
45. Re:Target needs to be sued by Mashiki · 2014-01-11 12:10 · Score: 1
  
  Okay sure. But again, that's theft of the data. Are you saying that you're responsible if someone steals a knife from your kitchen and goes on a stabbing spree?
  
  --
  Om, nomnomnom...
46. Re:Target needs to be sued by JoeMerchant · 2014-01-11 12:10 · Score: 1
  
  Start a movement, but for this to work it would really need to happen at least at a state level, preferably federal. The first hurdle is that you will find >50% of the lawmakers voting on the proposal will be lawyers, sons of lawyers, etc. You'll need to get some kind of explosive viral adoption of the campaign that will shock and awe the change into being before the lawyers have a chance to launch a counter-appeal for public opinion. You'll need people who are far more talented and experienced than I am to pull that off, and who also are not self-interested in keeping lawyers lives posh - the list of qualified individuals will be short, and you'll have to be careful when building it lest you tip-off the other side and give them a head start.
  Best of luck, and if you fail, maybe you could re-direct your efforts toward saving the planet:
  http://5050by2150.wordpress.com/
  That concept, too, could be better expressed and promoted, it lacks mass appeal - but addresses a problem that is inevitable as long as positive population and economic growth continues.
47. Re:Target needs to be sued by BringsApples · 2014-01-11 13:18 · Score: 1
  
  You're probably correct, but who signs that back of their credit cards anymore?
  
  --
  Politics; n. : A religion whereby man is god.
48. Re:Target needs to be sued by BronsCon · 2014-01-11 15:16 · Score: 1
  
  No, but you're responsible if you know there are people looking for knives to go on stabbing sprees in your area and you leave one on in plain view on your front porch like Target did.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
49. Re:Target needs to be sued by BronsCon · 2014-01-11 15:18 · Score: 1
  
  Replying twice because... what the fuck, man?
  
  But again, that's theft of the data. Uh, yeah, and that's what you were asking about.
  
  Where did they *give* something that facilitated the theft of the data that contributed to fraud.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Wait.... What?! by Lukano · 2014-01-10 13:48 · Score: 2

Target just managed to 'Oh... our bad, a bunch of other systems and avenues were also hacked.... well before the system(s) we're talking about now were hacked.....'... and this isn't a bigger deal?
Contradict me if I'm wrong, but are they not talking out of the side of their mouths to say that they'd been breached earlier, and only knew it now / only divulged it now?
1. Re:Wait.... What?! by JoeMerchant · 2014-01-11 03:37 · Score: 1
  
  Sounds right to me... if you want to go all conspiracy theory on it, they may have known about the earlier breaches which would have made them look really bad and engineered the last one as a sort of shock and awe pity PR move to cover their incompetence.
That's the whole country by TrumpetPower! · 2014-01-10 13:57 · Score: 5, Interesting

According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.
I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place? But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.
Cheers,
b&

--
All but God can prove this sentence true.
1. Re:That's the whole country by rmdingler · 2014-01-10 14:10 · Score: 2
  
  Well, there were significant breeches in the Canadian Targets, IIRC, so I suspect we're talking about multiple nationalities credit data.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
2. Re:That's the whole country by psithurism · 2014-01-10 14:11 · Score: 1
  
  Snowden revelations
  Hmm, have the stolen credit cards used or are they just sitting in a warehouse somewhere? Maybe the NSA is relevant to the current story?
  I'm just asking questions!
3. Re:That's the whole country by Anonymous Coward · 2014-01-10 14:31 · Score: 1
  
  For what it's worth, the population of the US as of 2012 is roughly 314 million. Target lost a fuckton of card information.
4. Re:That's the whole country by rueger · 2014-01-10 14:38 · Score: 1
  
  You're right in suggesting that Canadians almost certainly also had their data stolen.
  
  Aside from that, one correction. This story deals with security breaches.
  
  These are Canadian breeches.
  
  --
  Three Squirrels
5. Re:That's the whole country by girlintraining · 2014-01-10 15:16 · Score: 1, Troll
  
  According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.
  *facepalm* A household is not the same as an individual. And most people own not one card, but an average of about 3.7. Currently, over 391 million credit card accounts exist in the United States. 115 million equals 29.4% of that. Further, I don't know what you consider "their entire database", since the census bureau tracks the number of households and other population data, not the number of valid credit card numbers Target has. But let's not quibble over details...
  
  I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place?
  
  Yes, let's just give up and go back to checks -- nobody ever committed fraud with those! Oh wait, they did? Umm, how about just cash transactions? Damn! Foiled again. Umm, gold? Wait, you can fake gold? How about the barter system? They got to that too? I guess I'll just have to move into the mountains, far away from any other person, and live off the land like our ancestors did, forsaking all advancements of civilization.
  Or I could come up with some kind of social framework, something with a nice ring to it, like the Rule of Law. Sounds impressive. Let's go with that.
  
  But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.
  You know, mentioning Snowden or the NSA in any reference to civil liberties or privacy should invoke some kind of response similar to Godwin'ing a thread. "You know who else liked data breaches..." Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people. It's like saying Microsoft develops software is a revelation. And no, the NSA didn't just implode because some cheeky twenty-something dropped drawers and mooned them, anymore than Target's going to simply shutter up and crawl into a corner to die quietly in retail exile.
  It may be exceedingly inconvenient that people can say and do stupid things with such regularity and suffer no long-term effects but that's about it. If you're expressing surprise or admonishment over this state of affairs, you clearly need to get out more.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
6. Re:That's the whole country by TheGratefulNet · 2014-01-10 15:33 · Score: 4, Insightful
  
  Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people.
  I normally like and agree with your posts, but here you are pretty far off-base.
  what snowden taught us is that the nsa is totally out of control and going WAY beyond their charter.
  yes, that is information we did not have before and its powerful information.
  
  --
  
  --
  "It is now safe to switch off your computer."
7. Re:That's the whole country by goodmanj · 2014-01-10 16:01 · Score: 1
  
  Meh. Canada is, in this as in most other things, negligible. (Sorry, guys. You know I love you but there's just not enough of you to make a difference.) Target really just opened in Canada this year, and their retail sales there amount to less than 1% of their total business.
8. Re:That's the whole country by Jeremi · 2014-01-10 16:48 · Score: 3, Insightful
  
  Yes, let's just give up and go back to checks -- nobody ever committed fraud with those!
  
  I like a reductio ad absurdum as much as the next guy, but I think a better response would be to forward to something more secure. I'm sure you or any other Slashdotter could think of something clever, but at the very least we could do what every other country does and put security chips in the credit cards.
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
9. Re:That's the whole country by girlintraining · 2014-01-10 18:06 · Score: 1
  
  I normally like and agree with your posts, but here you are pretty far off-base.
  This just in: If somebody who you normally agree with disagrees with you, you should consider not reflexively assuming they're "pretty far off-base"... they may in fact have an equally valid position that simply isn't the same as yours.
  I know everyone on slashdot wants to have Snowden's babies... but there are other opinions of him out there that are defensible. I don't think the NSA is out of control, I think Congress is.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
10. Re:That's the whole country by Anonymous Coward · 2014-01-10 18:06 · Score: 1
  
  Also saying that everyone knew they were doing this stuff already are missing the point that it's still illegal.
11. Re:That's the whole country by rossdee · 2014-01-10 18:14 · Score: 1
  
  Canadians have been know to come south to buy stuff eg Grand Forks and Fargo
12. Re:That's the whole country by TubeSteak · 2014-01-10 19:16 · Score: 1
  
  I find it interesting that the wiki page on chip and pin vulnerabilities http://en.wikipedia.org/wiki/EMV#Vulnerabilities only goes up to 2011
  The last news report on security vulnerabilities in chip and pin schemes (that i can find) seems to be late 2012
  http://www.nbcnews.com/id/49020916/ns/technology_and_science-security/t/criminals-crack-european-chip-and-pin-cash-card-security/
  I found this quote to be the opposite of comforting
  
  In their paper, the Cambridge researchers asserted that, based on their conversations with bankers, "banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."
  
  "Denied refunds" seems to have been the main benefit from banks switching over to chip and pin.
  
  --
  [Fuck Beta]
  o0t!
13. Re:That's the whole country by evilviper · 2014-01-10 21:31 · Score: 1
  
  No, the Snowden leaks weren't any new information. If you think so, you're utterly ignorant of the world around you. EFF.org has a timeline of all the revelations, back to 2003.
  I was stunned the leaks got the traction in the press that they did, when it was public knowedge already. The one good thing they accomplished was to un-stall the years-old EFF court case against the fed, since they couldn't claim state secrets, anymore.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
14. Re:That's the whole country by JoeMerchant · 2014-01-11 03:54 · Score: 1
  
  I don't actually think the NSA was "off base" but I do think they were/are "out of control" - meaning: I don't necessarily disagree with what they did, but I do disagree with them doing it without the oversight and control that is supposed to be in place.
  If the NSA was transparent with the American people about what they are doing, and the American people could get behind the idea that it is a necessary and good thing to protect their self interests, then I support them going forward and collect all the data they can and using it to stop the real bad things from happening.
  What everybody is worried about is "losing their privacy" so that all the laws that they break on a regular basis might get enforced on them. Right now I'm thinking of a particular gentleman who has never been arrested, has all his concealed carry permits and has weaponized all his vehicles and home as permitted by law, and also happens to drive while drinking from open containers that often contain alcohol. He's never been written up for anything worse than speeding, but if his privacy were breached, he might be prosecuted, jailed, and even lose his right to bear arms (which might bother him more than jail, to hear him talk about it.) With his privacy in-place, he can continue to be respectable and "never arrested" and look down his nose at those who have been arrested and jailed. There are many, many other ways people break the law every day that could be exposed by a shift in "privacy" and significantly change their future liberty.
  The problem with the NSA doing what they did out of the chain of command is that they will come into possession of information that is potentially very valuable in the form of blackmail. I'm not saying that this did happen, but if it goes on long enough, it will, eventually, be determined, by the agency "out of control," that - in the name of national security - some people might need to be coerced to do something they might not do without the threat of releasing certain information. That kind of protection, I do not want.
15. Re:That's the whole country by Hognoxious · 2014-01-11 13:49 · Score: 1
  
  Well, there were significant breeches in the Canadian Targets
  
  It's cold up there, so heavy trousers would be a popular item.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
16. Re:That's the whole country by girlintraining · 2014-01-12 21:37 · Score: 1
  
  What everybody is worried about is "losing their privacy" so that all the laws that they break on a regular basis might get enforced on them.
  Close but no cigar. This has been a problem since the 1950s when the FBI engaged in numerous high-profile attacks against political undesireables, setting up constant surveillance. The simple truth is, everyone's a criminal. We always have been. The laws don't exist to promote fairness and justice, but order, and that's a very different thing than the first two. Order is essentially subservience to authority. Anyone who is different, atypical, abnormal, politically undesireable, a minority, poor, etc., is considered a blight upon the landscape of the perfectly ordered society and should be informed and then manipulated, exploited, or otherwise forced into ceasing to be visible in public. Law enforcement is not fair, or impartial, or anything else. It is highly biased, racist, and generally filled with first rate assholes... because frankly, that's what society wants.
  The problem with the NSA is not the NSA. The problem with the NSA is our cultural attitudes, which the NSA is an institutionalized abstract of. We are, in a fashion, the reason for the NSA's existance and at the same time the target of its operations. If you look at it in terms of creating order (irrespective of the morality and ethics of said activity) then everything that's happening makes sense in a clear and straightforward fashion.
  There's no need for conspiracies, no need to discuss liberty, no need for martyrs or heroes, no finger pointing about who is out of control, and who's not doing their job, etc., etc. It's all very simple: We created the problem. We just don't like the consequences. It's like this -- watch someone you don't like suffer, and you don't generally ask if it's fair. It's that feeling, motivation, and aspect of humanity, that has created all the problems referenced within.
  "The bigs hit me, so I hit the littles. That's fair."
  -- Every bully. Ever.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
JFC by rmdingler · 2014-01-10 13:58 · Score: 1

Are you kidding me.?.?. it's like a five-year-old lying about something he did, letting the truth slip out a little bit at a time.

--
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
It's an inside job. by Anonymous Coward · 2014-01-10 14:02 · Score: 1

I worked on these systems and they are are all internal: POS to store server to regional server. If it was exposed to the internet, someone went out of their way to be stupid or to steal.
Any malware on the system was brought to it by key drive or by the Internet connection that nobody knew about.
This is NOT some dipshit script kiddie - this is an employee who wanted to do harm and get rich.
1. Re:It's an inside job. by mysidia · 2014-01-10 16:39 · Score: 1
  
  If it was exposed to the internet, someone went out of their way to be stupid or to steal.
  Must apply Hanlon's razor here. Someone probably did something stupid. Without evidence to the contrary; it could just as easily be a UIT (Unintentional Insider Threat), as an Intended Insider Attack.
Lots of class actions by pcwhalen · 2014-01-10 14:02 · Score: 1, Interesting

I'm a plaintiff's attorney and I filed before Christmas. Lots of other firms out there with lots of other cases.
Target should have had at least had one sys admin to see that kind of data bump crossing their network while the breach occurred. They advertise for techs that can use Hadoop. They have to understand something about data and bandwidth with 100 million names in a database.
With that amount of data crossing the servers, shouldn't someone seen something?
There's more. Write me if you want info about mine or other cases. target at paulwhalen dot com
[nothing within this post shall be considered a legal opinion, solicitation or attorney advertising]

--
Pay no attention to the man behind the curtain with all your metadata.
1. Re:Lots of class actions by msmonroe · 2014-01-10 14:26 · Score: 1
  
  Paul you should probably spend some money to update your web site. ; )
  That comment being out of the way.
  It had to have taken some time to transfer the data, it would seem like there would be plenty of time to catch what was going on.
  All seems pretty negligent. Are the banks going to sue them, after all don't the banks become liable for Targets actions at the end of the day, correct?
2. Re:Lots of class actions by bloodhawk · 2014-01-10 14:33 · Score: 2
  
  that isn't actually a lot of data size wise, especially if stolen over a period of time, and no it would be unusual to spot it leaving the network. The data has to be properly secured, trying to detect data leaving your network would be a near impossible task. Don't get me wrong Target have majorly fucked up but your expectations of where this should have been detected are dead wrong.
3. Re:Lots of class actions by pcwhalen · 2014-01-10 14:38 · Score: 2
  
  Web site overdue for an update? Guilty. On my to do list for years [and probably years from now].
  Krebs On Security [http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/] says Target was informed of the breach by Visa and Master Card. Target wouldn't have caught it as soon as they did unless they were told.
  Negligent? Er, uh, yup.
  But banks and credit card companies don't sue vendors, their customers. If they did, they would lose customers. Thus, they eat the losses.
  It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs.
  [See? Lousy HTML skills. Sorry.]
  
  --
  Pay no attention to the man behind the curtain with all your metadata.
4. Re:Lots of class actions by pcwhalen · 2014-01-10 14:42 · Score: 1
  
  You may well be correct and I should not have conjectured. Truly, I have never run Hadoop or any relational data set of any size. Maybe it's something that wouldn't make a dent in bandwidth or come up on some sys admin's radar.
  It is indeed more the question that the data wasn't properly secured that allowed for the loss.
  That's a lot of data, though....
  
  --
  Pay no attention to the man behind the curtain with all your metadata.
5. Re:Lots of class actions by nwf · 2014-01-10 15:21 · Score: 1
  
  That's a lot of data, though....
  It's bet it's less than 1% of what traverses their network every day. If they are using hadoop for marketing purposes, I'd guess all the CC information for every account in the US is a drop in the bucket in comparison. I'd further bet it compresses well, as does most text, making it the size of a few nice digital pictures of cats.
  
  --
  I don't know, but it works for me.
6. Re:Lots of class actions by bloodhawk · 2014-01-10 15:33 · Score: 1
  
  That's a lot of data, though....
  In data warehouse terms it isn't actually a lot of data at all. I would imagine their data storage would be in the multi petabyte range. a couple of hundred gig could traverse the network in a very short period of time and not even register as an unusually large amount of data.
7. Re:Lots of class actions by Hamsterdan · 2014-01-10 15:44 · Score: 1
  
  "It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs."
  Right on. I've had a 200$ fraud in my account just before the holidays. Royal Bank Of Canada can't access the ATM cameras (they tell me it's not one of theirs). Their argument is since they can't prove it was somebody else using the card, *I* have to eat the losses. Great, and all that time I thought people were innocent until proven guilty in that country.
  
  --
  I've got better things to do tonight than die.
8. Re:Lots of class actions by queazocotal · 2014-01-10 17:21 · Score: 1
  
  Name, CC number and details, ...
  This will - minimally at least - compress to about 100 bytes per record.
  5 or 10GB is not a lot of data any more.
9. Re:Lots of class actions by DarkOx · 2014-01-10 18:27 · Score: 1
  
  There is absolutely no reason to take CC data out of the transaction system and put in the data mart. None, I helped build a activity based costing system for a major retailer you create a surrogate customer id, and your store the tender type. Ids/ips sensors should spot pii and cc info leaving the PCI world in bulk going anywhere unexpected, even if it's not much data in terms of network traffic.
  If the environment is properly secured and instramented ex filtration should be detected
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
10. Re:Lots of class actions by SOOPRcow · 2014-01-10 18:36 · Score: 1
  
  To play devils advocate the person whom you are accusing of fraudulently making charges on to your account is innocent until it can be proven that they are guilty. You're reporting a crime; you're not being accused of a crime and thus the state of your guilt is not in question. A more "appropriate" statement would be "I thought the customer was always right". However, I think we both know that isn't always true either :/
11. Re:Lots of class actions by Osgeld · 2014-01-10 20:57 · Score: 1
  
  our company produces multiple millions of units of product a year, taking way more information per unit than a credit card transaction
  in the 3 years I have been there we have generated 20 gig-bytes of pure plain ascii text
  get a clue
12. Re:Lots of class actions by msmonroe · 2014-01-10 22:03 · Score: 1
  
  I had my ATM card information stolen (apparently) and someone was using it as a debit card, charging gas all over LA before my bank froze the account; this was about a year ago btw. I only found out because they froze the account when I tried to use it, ironically it was at Target I think.
  The bank gave me a pretty hard time, trying to get me to admit that I was driving around for hours in LA and buying gas on my debit card, really strange experience with them, I had never used my card that way before.
  They reluctantly put the money that had been stolen back in my account and sent me a new card; I later had to document that I had not given my information to anyone and did not make the charges.
  I have found out though that for a debit card when it is used with the PIN your liability, USA, is $500 but when used as a credit card it is $50. The bank technically didn't have to return the all the money. I have since stopped using my debit card as anything but a credit card.
13. Re:Lots of class actions by msmonroe · 2014-01-10 22:17 · Score: 1
  
  Ha your HTML skills are fine. ;)
  
  I am pretty shocked by the revelation that Target was clueless about the breach, makes me angry enough to not want to ever shop there. The 10% off that they offered and a free credit report doesn't seem like enough. It would be nice if they would submit to a third party security audit to verify that steps have been taken to rectify their security issues.
  
  Funny question, Do you think that it could have been a criminal conspiracy to cover it up by Target?
14. Re:Lots of class actions by chittychitty!! · 2014-01-10 23:54 · Score: 1
  
  5 mod points but not a one that says "CONTRITE". I guess it's so rare.... Anyway, +1 CONTRITE.
They declined me ... by TrollstonButterbeans · 2014-01-10 14:19 · Score: 4, Interesting

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

--
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
1. Re:They declined me ... by nwf · 2014-01-10 15:24 · Score: 1
  
  Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".
  [True story!]
  If you write to them, I'm pretty sure they are required to tell you. Plus, you can get free copies of your credit reports as a result.
  No loss, though. I had one of their CCs and their customer support was so amazingly inept that I cancelled out of frustration. I've never dealt with a CC company with such pathetic customer support. It makes me mad just thinking about it. I can only imagine how well they handled a massive amount of fraud on their cards. Good thing their support is in India or people would have liked showed up with baseball bats.
  
  --
  I don't know, but it works for me.
2. Re:They declined me ... by mysidia · 2014-01-10 16:41 · Score: 1
  
  You'll get a letter in about 3-4 months saying something like "insufficient credit history". Because you need credit history to get credit
  There's a circularity issue there. If you can't send in an application and get credit without credit history, then nobody should have credit....
3. Re:They declined me ... by DigiShaman · 2014-01-10 19:10 · Score: 1
  
  There are two types of credit cards: secured and unsecured. The most common credit card is unsecured (we just call them credit cards). That means the card is issued based on a persons credit history and their score. The secured credit card is like a CC with training wheels. It requires funds in the bank to be used as collateral up front. Typically you only need one for the first year to establish a credit history and then graduate to the unsecured variety.
  
  --
  Life is not for the lazy.
4. Re:They declined me ... by mysidia · 2014-01-10 20:39 · Score: 1
  
  There are two types of credit cards: secured and unsecured.
  The concept of a "secured" credit card, makes about as much sense as a mortgage loan requiring you to capitalize an extra 20% fee, and a 100% down payment of the principal being borrowed, in order to get the loan.
target messes with there employees and does not OT by Joe_Dragon · 2014-01-10 14:20 · Score: 2

target messes with there employees and does not pay OT
http://www.huffingtonpost.com/2011/10/17/target-manager-fired-lunch-break_n_1016100.html
Good excuse by bob_super · 2014-01-10 14:24 · Score: 4, Interesting

My wife may finally understand why I want her to stop giving her data to a million different stores in exchange for a 5% discount or 500 bonus miles.
1. Re: Good excuse by Anonymous Coward · 2014-01-10 14:36 · Score: 3, Informative
  
  Er this isn't about their super bonus target credit card plus or whatever they call it. This is a database they created of everyone who shopped at target and used any form of credit card. You could just have easily ended up on the list by using a bank issued debit card.
2. Re:Good excuse by Anonymous Coward · 2014-01-10 14:43 · Score: 2, Informative
  
  I don't think you understand. This is pretty much every single credit card used at Target or on target.com over the past few months or year. Or years. They are probably still lying about how many numbers. What pisses me off is that now they've lost names, addresses and a lot of PII data. Fucking Wall Street assholes who don't take security seriously need to be shot.
3. Re: Good excuse by bob_super · 2014-01-10 17:35 · Score: 1
  
  And the UK porn filter is used to quash file-sharing websites, and 9/11 was used to take down Saddam, and...
  I'm an evil person, and "you can trust retailers' databases security" is hopefully not going to have a better illustration anytime soon.
  At least I'm not conjuring "in this economy" or "think of the children", I'm just carefully wording the truth for her own good.
  No oppressed majority will be enabled to regain power and team up with my enemies in the process.
4. Re:Good excuse by evilviper · 2014-01-10 21:10 · Score: 1
  
  If the JC Penny breach didn't do it, why would this one? Was Target the epitome of safety and security in your eyes?
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
5. Re:Good excuse by Shados · 2014-01-11 05:02 · Score: 1
  
  This probably isn't even anything to do with Wall Street assholes.
  Are you a software developer? Or do you know some? Probably since you're on slashdot.
  Did you or any of them come out of college with the aspiration: "I want to go work for Walmart, Target, or any number of high profile brick and mortar retail chain, its going to be awesome!!!" (Amazon obviously doesn't count).
  No, you and they didn't. That shit is hard. Its a different kind of challenge, more around integration and dealing with a billion weird rules and laws that change all the time. Its hard and it sucks. Since it sucks, the people with the skill to handle it don't work there. PCI compliance at that tier (its more complicated the bigger you are) is batshit crazy.
  So sooner or later, the massive amount of second grade IT people they end up hiring (because they end up not having a choice...no amount of money or benefit will get them top grade that they need) fuck up, and this happens.
  They can give 6 monitors, free gourmet lunches, fridays off, 200k a year, top insurance plans and shuttles that pick you up at your door, and STILL no one worth their salt will work there. Greed is the least of their problem.
6. Re:Good excuse by bob_super · 2014-01-11 19:44 · Score: 1
  
  Because we shop at JC Penny almost as often as we shop for for Ferraris.
  It's not as effective when it hits too far.
Re:I have to get better sources apparently... by Anonymous Coward · 2014-01-10 14:47 · Score: 5, Informative

They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.
The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.
We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.
Bad Math? by umdesch4 · 2014-01-10 14:49 · Score: 4, Interesting

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.
1. Re:Bad Math? by nwf · 2014-01-10 15:26 · Score: 2
  
  The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.
  Probably the people who wrote the obamacare web site.
  
  --
  I don't know, but it works for me.
2. Re:Bad Math? by Anonymous Coward · 2014-01-10 16:54 · Score: 1
  
  No.
  
  A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million
  They are (clumsily, I'll admit), stating that the record increased from 40 million to 70 million. The previous record-holder being the 40 million credit cards breached, the new record being the 70 million emails/addresses/etc breached from a different system, totaling: 110 million records. Though there most likely is a ton of overlap so conflating 110 million records with 110 million 'victims' is still kinda dumb.
Re:target messes with there employees and does not by nwf · 2014-01-10 15:17 · Score: 2

If they are paying their IT staff $10/hr, then I'd expect nothing less. However, I doubt that. The IT staff are probably mostly salaried, which means no OT.

--
I don't know, but it works for me.
from the ok-this-time-try-20-percent-off dept. by pcwhalen · 2014-01-10 15:20 · Score: 1

That's pretty funny. I really have to read the subtitles under the subject lines on \.
High-sterical. Literal LOL.

--
Pay no attention to the man behind the curtain with all your metadata.
Target is the new Kmart by Osgeld · 2014-01-10 15:23 · Score: 2

Bunch of shit I dont want, one thing I do want they dont have, simple things like brasso
anyway, I bought 1 thing from target cause the reviews were high and it was the only place I could get it local, now I am tied up in this mess
between those two its going to be a cold day in hell before I step foot back in that store
ps where is this free credit monitoring they offered me almost 3 weeks ago?
1. Re:Target is the new Kmart by Kardos · 2014-01-10 17:54 · Score: 1
  
  Go back to cash. There's no risk of identity theft with cash.
2. Re:Target is the new Kmart by Osgeld · 2014-01-10 20:47 · Score: 1
  
  no just the risk of loosing cash on the way to or from the car with no chance in hell of ever getting it back
3. Re:Target is the new Kmart by evilviper · 2014-01-10 21:23 · Score: 1
  
  I must reluctantly agree with you... There used to be several retailers out there where you could go and buy ANYTHING. Now, it seems they're dropping anything that isn't high enough margin, or a big enough seller. A few years ago I didn't go to Walmart for anything, ever. Then I fought with ridiculous parking to stop by Target, only to find that their 12 rows of shoes had one-half of one-isle dedicated to men, and almost entirely dress shoes.
  Have you ever walked through an entire pet store and found that they didn't even have a spot, anywhere, for flea collars?
  Yes, many retailers are, for all practical purposes, forcing their customers to shop at Walmart. I don't know if it's a side-effect of price matching, or bean counters insisting on all stocked merchandise meeting some silly metric, but whatever the case, they're all dropping the ball, badly.
  I like KMart and Sears, but losing half a billion dollars every year just doesn't bode well for their propects of being around much longer.
  Heck, maybe I should get some venture capital and open up some brick and mortar "Amazon" stores all ovr the place.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
4. Re:Target is the new Kmart by kaatochacha · 2014-01-13 11:08 · Score: 1
  
  In the future, there ARE not stores.
  Think Wal-e
Re:Fact Is by jeffb+(2.718) · 2014-01-10 15:25 · Score: 2

And just too bad for the 360K people they employ, nearly none of whom could have known or done anything about this, right?
Not just December, not just Target by Snotnose · 2014-01-10 16:04 · Score: 1

1) The breach was discovered in December, sounds like it's been going on for months. 2) I'd be very surprised if Target is the only entity that got breached. I keep waiting to hear "Oh, hey, 'member that Target thing? It's now a Walmart, Sears, TJ-Maxx, and Nordstroms thing".
1. Re:Not just December, not just Target by Z00L00K · 2014-01-10 18:45 · Score: 1
  
  It's in that case every outlet in North America regardless of size.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
2. Re:Not just December, not just Target by Anonymous Coward · 2014-01-10 19:04 · Score: 1
  
  Neiman Marcus also, according to the NY Times.
Am I the only person who doesn't care anymore? by rjejr · 2014-01-10 16:29 · Score: 4, Interesting

About 20 years ago somebody behind me at a Detroit gas station had their tank of gas billed to my credit card. A few years ago Sony gave it all away. Next year I'm sure there will be another security breach. And the year after that. And the year after that. I shop in Target every week with my Target credit card, and I will continue to do so. They are going to get you one way or another. Or they aren't. Target obviously screwed up, their security was lax, their investigation is pathetic, their forth coming with the news leaves alot to be desired. But I'm not going to kill myself, cut up all my credit cards and start using cash, or leave the country. I don't blame people for not shopping there anymore, or switching to cash, but I just don't care anymore. This shit happens all the time, every day people have their identity stolens, it sucks, but it's part of everyday life now, no getting around it. Well suppose tehre's the Amish way, but thats just not for me.
1. Re:Am I the only person who doesn't care anymore? by GodfatherofSoul · 2014-01-10 16:46 · Score: 3, Insightful
  
  I care, but I don't think there's anything I can do about it. Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change. Vendors are just going to roll the dice and hope nothing bad happens. I consider myself very caution and I've had 3 fraudulent uses of my card 3 times already (thankfully the bank didn't charge me).
  
  --
  I swear to God...I swear to God! That is NOT how you treat your human!
2. Re:Am I the only person who doesn't care anymore? by Anonymous Coward · 2014-01-10 18:55 · Score: 1
  
  Thankfully? WTF? *NO* "The bank did not charge me for fraud committed by another person." No thankfully.
3. Re:Am I the only person who doesn't care anymore? by Osgeld · 2014-01-10 20:49 · Score: 1
  
  what the hell do you buy at target, overprice old canned goods, or shitty paper storage cubes, I have not found much of value at target even when they were not retarded
  for fucks sake it took nearly 10 min to get a half warm shitty ass hot dog on a rock hard stale bun
  incompetent on every single level
4. Re:Am I the only person who doesn't care anymore? by evilviper · 2014-01-10 21:08 · Score: 1
  
  Paying in cash is a far cry from killing yourself, or going Amish... In fact it's often more convenient than cards. Ever tried to split a bill between 10 people, all on their cards?
  I could still have my identity stolen, you say? Well since I have no credit history at all, they won't get much use out of it.
  There's a few ways ID theft could incovenience me, but far less than you're exposing yourself to, and will have far less impact on me.
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
5. Re:Am I the only person who doesn't care anymore? by cascadingstylesheet · 2014-01-11 00:38 · Score: 1
  
  Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change.
  Because if the government "does something", there will magically be no economic tradeoffs?
  Because the government has proven they are such security experts?
6. Re:Am I the only person who doesn't care anymore? by Shados · 2014-01-11 04:53 · Score: 1
  
  Drop 10 credit cards on the table, tell the waiter to split the bill. Do that all the time.
  Of course, in more civilized areas, restaurants give out individual checks, so its never a problem. It drives me bunker since I moved here that in most of the greater boston area they usually give 1 check per table...ugh.
7. Re:Am I the only person who doesn't care anymore? by 0123456 · 2014-01-11 05:06 · Score: 1
  
  Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change.
  Uh, what do credit cards have to do with the "free market"?
  Hint: do you really, actually, think I can just set up a new credit card company tomorrow, without having to deal with a tsunami of government regulations around the world?
8. Re:Am I the only person who doesn't care anymore? by GodfatherofSoul · 2014-01-11 06:14 · Score: 1
  
  You might want to do some research into bank policies on credit cards. There are situations where the bank makes you eat the charges; I believe after about a week on debit cards.
  
  --
  I swear to God...I swear to God! That is NOT how you treat your human!
9. Re:Am I the only person who doesn't care anymore? by kaatochacha · 2014-01-13 12:26 · Score: 1
  
  Cash isn't that hard, unless you're used to charging everything and living on debt.
  That's the hardest (and best) part about paying cash for everything: If you don't have the money, you can't afford to buy it.
  It's better for cutting spending as well. It's much harder, psychologically, to spend $100 cash than it is to swipe your card.
Re:target messes with there employees and does not by desertfool · 2014-01-10 16:32 · Score: 1

Or they outsourced....

--
Just a dude. Stuck in IT.
Re:Fact Is by mysidia · 2014-01-10 16:44 · Score: 1

if you let this kind of thing happen via lax security, your business should be halted, dissolved, and the proceeds divided between the affected people.
If it didn't happen to the Comodo certificate authority, who had signed a bunch of rogue SSL certificates: when their whole business model is to be a cert provider of reliable verified trust, then it won't happen to Target.
Re:I have to get better sources apparently... by Z00L00K · 2014-01-10 18:43 · Score: 2

In a proper solution the dealer like Target shall not even have access to the unencrypted identification data, that shall be passed between the terminal and the bank or payment handler encrypted and the dealer shall only need to get "approved" or "denied" back for the request.
In addition to this - magnetic stripes are obsolete, they were introduced during the 70's. Modern cards has a chip which is harder to duplicate. Not impossible, but a lot harder. Almost all terminals in Europe handles chips, and all major European banks provides cards with chips these days.
Of course - credit card identification data should be considered an ID theft and that should be a capital crime. It would sure deter at least some criminals when they know that they will face Madame Guillotine.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
the PCI compliance affidavit may be fraudulent by raymorris · 2014-01-10 19:08 · Score: 1

Target execs signed sworn documents affirming that they were PCI compliant. Large companies have to do an audit of their PCI compliance so that they actually know if they are compliant or not. That statement of compliance saved them millions in extra processing fees (or allowed them to get processing at all).
IF those documents were false, that's lying for material gain aka fraud. We don't yet know if a) they were PCI compliant or b) they had the required audit and thought they were compliant. It appears likely that they may not have been compliant, and they knew or should have known. That's one potential fraud.
Further, there is an implied warranty to customers that cardholder data would be handled according to best practices. If they were reckless, that COULD be construed as fraud.
Re:target messes with there employees and does not by Mr.+Shotgun · 2014-01-10 19:11 · Score: 2

Or they outsourced....
You may be joking, but after the initial story broke I did look at their career website to see if they had an opening for a information security position (for the lulz) and noticed most of their IT positions were based in India. Since then they seemed to have reduced the amount of IT positions based out of India, maybe because of this, maybe they filled them. But still seems kinda odd.

--
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
100 million CCs = 800 MB = 10 seconds of data by raymorris · 2014-01-10 19:27 · Score: 1

A credit card number in a decent database is 8 bytes.
Therefore, 100 million CC numbers is 800 million bytes.
That's 800 MB, which is the amount of data a gigabit Ethernet can transfer in 10 seconds.
With the name on the card, and such, it's a few GBs. Maybe one minute of data transfer or thereabouts.
If it took the thieves a few hours to download over a slow connection, that would have been less than 1% of Target's traffic during that time period.
Never would have guessed a Windows POS by mc6809e · 2014-01-10 20:07 · Score: 1

Are they insane?
Agreed by justthinkit · 2014-01-10 23:05 · Score: 2

Some time back I had an acquaintance of a friend abuse my credit card. Bought a round trip from Africa to England with my card. Thousands of dollars. I told the CC people I knew who did it and I wanted to prosecute the guy. They weren't interested and not a thing happened to this person.

--
I come here for the love
1. Re:Agreed by BringsApples · 2014-01-11 03:57 · Score: 1
  
  Holy crap! Did you have to pay the bill, or did they just eat it?
  
  --
  Politics; n. : A religion whereby man is god.
2. Re:Agreed by justthinkit · 2014-01-11 14:06 · Score: 1
  
  The credit card company ate the charge. The CC companies must be very big businesses indeed when $2,500 or so of charges is not worth bringing criminal prosecution.
  
  --
  I come here for the love
3. Re:Agreed by BringsApples · 2014-01-11 15:25 · Score: 1
  
  That's amazing, seeing as how they could prove it very easily (plane ticket purchase would require photo ID matching the passenger).
  
  What credit card company was this? I may need to look into getting back into credit cards if it's this easy these days to sluff off charges.
  
  --
  Politics; n. : A religion whereby man is god.
4. Re:Agreed by ahabswhale · 2014-01-11 17:28 · Score: 1
  
  They don't care because the credit card company isn't the one who eats it. The merchant who accepted the fraudulent charge does. This is why the security of cards is complete shit in this country.
  
  --
  Are agnostics skeptical of unicorns too?
not mag stripe data by dutchwhizzman · 2014-01-11 00:12 · Score: 2

They got full data, much more than was on the mag stripes. The whole database of customers including their address data and all that has been stolen. Mag stripes don't hold all the information described here so there must be a database that has been broken in to.

--
I was promised a flying car. Where is my flying car?
Re:I have to get better sources apparently... by Joce640k · 2014-01-11 00:40 · Score: 2

The PINs were supposedly encrypted with 3DES (which isn't exactly robust)
Stop repeating those crappy news sites. There's nothing wrong with 3DES.
DES is one of the few cyphers which has never shown a weakness in the algorithm. Yes, it has a small key size, hence 3DES. The only real reason not to use it is software performance (DES was designed for hardware implementation, not software).
https://en.wikipedia.org/wiki/Data_Encryption_Standard#Replacement_algorithms

--
No sig today...
H1-B city by swb · 2014-01-11 01:21 · Score: 1

Walk through the lobby of the office tower at City Center where Target has offices and its H1-B city. They are, like most corporations, looking to cut IT costs as much as possible and hire legions of H1-Bs.
It wouldn't surprise me at all if the volume of H1-Bs doesn't lead to a management arrogance towards IT staff that extends to native-born IT workers which I'm sure would do plenty create the kind of grievance which would help motivate an insider to participate in this kind of fraud.
Re:I have to get better sources apparently... by DarkOx · 2014-01-11 02:26 · Score: 1

That "encrypted with 3DES" thing has bothered me too, it does not make much sense unless they mean the filesystem the database is on or something. Otherwise how do you effectively cipher a 4 digit pin with 3DES?
Yes some databases can cipher tables, but that isn't really helpful against an online attack where the table is already unlocked.
Ideally you would store the ciphered values and the application layer would have the key, which leaves you with needing to make sure you select unique IVs for every PIN otherwise you will have lots of repeated cipher texts with some known plain texts and lots of pins will be exposed quickly and easily.
All in all without more detail and given this appears to have been an online attack, I don't have much confidence that those PINs are secure against even the most amateur crypto analysis ( if they did not actually get them in the clear to start with, again possible even likely given the access vectors ) for longer than hours.

--
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Re:I have to get better sources apparently... by LifesABeach · 2014-01-11 08:51 · Score: 1

Why doesn't everyone just admit the painfully obvious, "Someone has blown the doors off of the Target Cyber Security Walls." Ignoring that this affects 45% of the U.S.; this personal wet dream called, "Target" should be facing criminal charges.

Personally, I am hoping that those responsible for this theft never sleep in the same bed twice.
Re:I have to get better sources apparently... by Joce640k · 2014-01-11 10:44 · Score: 1

You should stop reading wikipedia for your info. DES is woefully weak, hence triple DES, which is 168 bits long and has yet to be cracked.
Short key != weakness in algorithm.
DES has never been "broken".

--
No sig today...
Visa by justthinkit · 2014-01-12 02:28 · Score: 1

It was Visa. It was also 20 years ago. In Canada.

--
I come here for the love