Target Admits Data Breach May Have Up To 110 Million Victims

Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."

That's the whole country

[TrumpetPower!]

According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place? But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.

Cheers,

b&

Re:That's the whole country

[TheGratefulNet]

Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people.

I normally like and agree with your posts, but here you are pretty far off-base.

what snowden taught us is that the nsa is totally out of control and going WAY beyond their charter.

yes, that is information we did not have before and its powerful information.

Re:That's the whole country

[Jeremi]

Yes, let's just give up and go back to checks -- nobody ever committed fraud with those!

I like a reductio ad absurdum as much as the next guy, but I think a better response would be to forward to something more secure. I'm sure you or any other Slashdotter could think of something clever, but at the very least we could do what every other country does and put security chips in the credit cards.

Re:Target needs to be sued

[Mashiki]

Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?

Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Re:Target needs to be sued

[Waffle+Iron]

By the major credit card companies for gross negligence and conspiracy for fraud.

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

The only piece of sensitive info used during a credit card transaction should be a private key that stays inside in a tamper-resistant chip embedded inside my credit card. Everything else should be encrypted, and not even seen by parties such as waiters or Target.

They declined me ...

[TrollstonButterbeans]

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

Good excuse

[bob_super]

My wife may finally understand why I want her to stop giving her data to a million different stores in exchange for a 5% discount or 500 bonus miles.

Re: Good excuse

Er this isn't about their super bonus target credit card plus or whatever they call it. This is a database they created of everyone who shopped at target and used any form of credit card. You could just have easily ended up on the list by using a bank issued debit card.

Re:Target needs to be sued

[pcwhalen]

In the period of time between Black Friday and Dec. 17, when Target says this all went down, if they were open 12 hours a day, that's one card every 3 seconds.

Oh, wait. that was when they claimed it was 40 million names.

No way this was real time. Target must have been data mining.

Re:I have to get better sources apparently...

They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.

The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.

We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.

Bad Math?

[umdesch4]

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Re:Target needs to be sued

[beanpoppa]

Not sure why you think credit card companies don't care about fraud. They invest a lot in systems that study CC usage to flag transactions for possible fraud. In the last year, I've had 3 situations where a transaction has been declined until I contact the CC to verify that they are legitimate transactions. You might not feel that they do enough, but they certainly have an effort. There is just a point of diminishing returns where they've decided that it's not worth the extra effort to get fraud down below a certain level.

Am I the only person who doesn't care anymore?

[rjejr]

About 20 years ago somebody behind me at a Detroit gas station had their tank of gas billed to my credit card. A few years ago Sony gave it all away. Next year I'm sure there will be another security breach. And the year after that. And the year after that. I shop in Target every week with my Target credit card, and I will continue to do so. They are going to get you one way or another. Or they aren't. Target obviously screwed up, their security was lax, their investigation is pathetic, their forth coming with the news leaves alot to be desired. But I'm not going to kill myself, cut up all my credit cards and start using cash, or leave the country. I don't blame people for not shopping there anymore, or switching to cash, but I just don't care anymore. This shit happens all the time, every day people have their identity stolens, it sucks, but it's part of everyday life now, no getting around it. Well suppose tehre's the Amish way, but thats just not for me.

Re:Am I the only person who doesn't care anymore?

[GodfatherofSoul]

I care, but I don't think there's anything I can do about it. Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change. Vendors are just going to roll the dice and hope nothing bad happens. I consider myself very caution and I've had 3 fraudulent uses of my card 3 times already (thankfully the bank didn't charge me).

Re:Target needs to be sued

[BringsApples]

Well, point taken. But not long ago, a friend's card was stolen, so he cancelled it. The next month, he got a bill from the credit card company. It appeared that the thief went and filled up his gas-tank, as well as either a buddy's, or a boat or something, 3 Fridays in a row, same gas station, roughly same time of the day. The credit card company assured him that he wasn't expected to pay, and that they'd cancelled the card. next month, same thing, roughly same amount, roughly same time, same day (Friday) same gas station. Again he called, same response - "no worries". Next month, same thing. Finally he told them, "He look, this guy's going to be there next Friday at about [whatever time it was], why not just have the cops waiting? They basically told him that sometimes it takes a while before the gas station pumps are capable of registering that the card is bad/cancelled, and that there was no need to alert the police.

To me, this is an indicator that they don't care. I mean, that card was their property, and they knew that it was being used illegally, and yet they didn't want to get the police involved. I mean, it's not a shit-ton of money, maybe $400/month, but for 3 months? Of course, this may just be a 'bug' in their system, to do with gas tanks specifically, and maybe now that bug is fixed. But the people that he spoke with on the phone never had a doubt in their minds as to what to tell him. They never had to ask a manager, or anything like that. As though that type of thing happens a lot, and they knew how to 'handle' it.