Slashdot Mirror
Target Admits Data Breach May Have Up To 110 Million Victims
Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."
Target just managed to 'Oh... our bad, a bunch of other systems and avenues were also hacked.... well before the system(s) we're talking about now were hacked.....'... and this isn't a bigger deal?
Contradict me if I'm wrong, but are they not talking out of the side of their mouths to say that they'd been breached earlier, and only knew it now / only divulged it now?
According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.
I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place? But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.
Cheers,
b&
All but God can prove this sentence true.
Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?
Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.
Om, nomnomnom...
By the major credit card companies for gross negligence and conspiracy for fraud.
No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.
The only piece of sensitive info used during a credit card transaction should be a private key that stays inside in a tamper-resistant chip embedded inside my credit card. Everything else should be encrypted, and not even seen by parties such as waiters or Target.
Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".
[True story!]
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
target messes with there employees and does not pay OT
http://www.huffingtonpost.com/2011/10/17/target-manager-fired-lunch-break_n_1016100.html
My wife may finally understand why I want her to stop giving her data to a million different stores in exchange for a 5% discount or 500 bonus miles.
In the period of time between Black Friday and Dec. 17, when Target says this all went down, if they were open 12 hours a day, that's one card every 3 seconds.
Oh, wait. that was when they claimed it was 40 million names.
No way this was real time. Target must have been data mining.
Pay no attention to the man behind the curtain with all your metadata.
that isn't actually a lot of data size wise, especially if stolen over a period of time, and no it would be unusual to spot it leaving the network. The data has to be properly secured, trying to detect data leaving your network would be a near impossible task. Don't get me wrong Target have majorly fucked up but your expectations of where this should have been detected are dead wrong.
Web site overdue for an update? Guilty. On my to do list for years [and probably years from now].
Krebs On Security [http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/] says Target was informed of the breach by Visa and Master Card. Target wouldn't have caught it as soon as they did unless they were told.
Negligent? Er, uh, yup.
But banks and credit card companies don't sue vendors, their customers. If they did, they would lose customers. Thus, they eat the losses.
It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs.
[See? Lousy HTML skills. Sorry.]
Pay no attention to the man behind the curtain with all your metadata.
They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.
The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.
We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.
The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.
Not sure how you figured that. Target has 1921 stores, and is generally open 14 hours per day for the holiday season (8am-10pm). 40 milllion spread across that and over 19 days comes to 1 transaction every 46 seconds
Awesome work with the math. But let me give you one tiny bit of info you might have missed. Did you realize Target is more than 1 store? Actually, 1921 stores to be exact. So that's (lets round up) 20823 per store. Spread over 19 days, that's 1096 per store per day. The stores are open probably closer to an average of 14 hours a day for the holiday season. So that's 78 per hour, or one transaction every 46 seconds. Somehow I think they can manage a bit more than that. Even if you factor in that not every transaction is a credit/debit transaction, I think it's still very believable.
If they are paying their IT staff $10/hr, then I'd expect nothing less. However, I doubt that. The IT staff are probably mostly salaried, which means no OT.
I don't know, but it works for me.
I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.
Bunch of shit I dont want, one thing I do want they dont have, simple things like brasso
anyway, I bought 1 thing from target cause the reviews were high and it was the only place I could get it local, now I am tied up in this mess
between those two its going to be a cold day in hell before I step foot back in that store
ps where is this free credit monitoring they offered me almost 3 weeks ago?
And just too bad for the 360K people they employ, nearly none of whom could have known or done anything about this, right?
Not sure why you think credit card companies don't care about fraud. They invest a lot in systems that study CC usage to flag transactions for possible fraud. In the last year, I've had 3 situations where a transaction has been declined until I contact the CC to verify that they are legitimate transactions. You might not feel that they do enough, but they certainly have an effort. There is just a point of diminishing returns where they've decided that it's not worth the extra effort to get fraud down below a certain level.
About 20 years ago somebody behind me at a Detroit gas station had their tank of gas billed to my credit card. A few years ago Sony gave it all away. Next year I'm sure there will be another security breach. And the year after that. And the year after that. I shop in Target every week with my Target credit card, and I will continue to do so. They are going to get you one way or another. Or they aren't. Target obviously screwed up, their security was lax, their investigation is pathetic, their forth coming with the news leaves alot to be desired. But I'm not going to kill myself, cut up all my credit cards and start using cash, or leave the country. I don't blame people for not shopping there anymore, or switching to cash, but I just don't care anymore. This shit happens all the time, every day people have their identity stolens, it sucks, but it's part of everyday life now, no getting around it. Well suppose tehre's the Amish way, but thats just not for me.
Well, point taken. But not long ago, a friend's card was stolen, so he cancelled it. The next month, he got a bill from the credit card company. It appeared that the thief went and filled up his gas-tank, as well as either a buddy's, or a boat or something, 3 Fridays in a row, same gas station, roughly same time of the day. The credit card company assured him that he wasn't expected to pay, and that they'd cancelled the card. next month, same thing, roughly same amount, roughly same time, same day (Friday) same gas station. Again he called, same response - "no worries". Next month, same thing. Finally he told them, "He look, this guy's going to be there next Friday at about [whatever time it was], why not just have the cops waiting? They basically told him that sometimes it takes a while before the gas station pumps are capable of registering that the card is bad/cancelled, and that there was no need to alert the police.
To me, this is an indicator that they don't care. I mean, that card was their property, and they knew that it was being used illegally, and yet they didn't want to get the police involved. I mean, it's not a shit-ton of money, maybe $400/month, but for 3 months? Of course, this may just be a 'bug' in their system, to do with gas tanks specifically, and maybe now that bug is fixed. But the people that he spoke with on the phone never had a doubt in their minds as to what to tell him. They never had to ask a manager, or anything like that. As though that type of thing happens a lot, and they knew how to 'handle' it.
Politics; n. : A religion whereby man is god.
I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.
I got one when they first came out. It even came with a card interface to hook it up to your computer. They were trying their own thing if I recall, not EMV. They had a lot of grand plans for it, but they never actually did anything with it.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
In a proper solution the dealer like Target shall not even have access to the unencrypted identification data, that shall be passed between the terminal and the bank or payment handler encrypted and the dealer shall only need to get "approved" or "denied" back for the request.
In addition to this - magnetic stripes are obsolete, they were introduced during the 70's. Modern cards has a chip which is harder to duplicate. Not impossible, but a lot harder. Almost all terminals in Europe handles chips, and all major European banks provides cards with chips these days.
Of course - credit card identification data should be considered an ID theft and that should be a capital crime. It would sure deter at least some criminals when they know that they will face Madame Guillotine.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Or they outsourced....
You may be joking, but after the initial story broke I did look at their career website to see if they had an opening for a information security position (for the lulz) and noticed most of their IT positions were based in India. Since then they seemed to have reduced the amount of IT positions based out of India, maybe because of this, maybe they filled them. But still seems kinda odd.
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
Some time back I had an acquaintance of a friend abuse my credit card. Bought a round trip from Africa to England with my card. Thousands of dollars. I told the CC people I knew who did it and I wanted to prosecute the guy. They weren't interested and not a thing happened to this person.
I come here for the love
They got full data, much more than was on the mag stripes. The whole database of customers including their address data and all that has been stolen. Mag stripes don't hold all the information described here so there must be a database that has been broken in to.
I was promised a flying car. Where is my flying car?
The PINs were supposedly encrypted with 3DES (which isn't exactly robust)
Stop repeating those crappy news sites. There's nothing wrong with 3DES.
DES is one of the few cyphers which has never shown a weakness in the algorithm. Yes, it has a small key size, hence 3DES. The only real reason not to use it is software performance (DES was designed for hardware implementation, not software).
https://en.wikipedia.org/wiki/Data_Encryption_Standard#Replacement_algorithms
No sig today...