Target Credit Card Data Was Sent To a Server In Russia

angry tapir writes "The stolen credit card numbers of millions of Target shoppers took an international trip — to Russia. A peek inside the malicious software that infected Target's POS (point-of-sale) terminals is revealing more detail about the methods of the attackers as security researchers investigate one of the most devastating data breaches in history. Findings from two security companies show the attackers breached Target's network and stayed undetected for more than two weeks. Over two weeks, the malware collected 11GB of data from Target's POS terminals. The data was first quietly moved to another server on Target's network and then transmitted in chunks to a U.S.-based server that the attackers had hijacked. Logs from that compromised server show the data was moved again to a server based in Russia starting on Dec. 2." A related article at Wired points out that Target suffered a similar breach in 2005, and apparently didn't learn its lesson.

And the NSA Missed All Of This?

[littlewink]

Where's our protection from Russian financial terrorists? Were the NSA employees in charge distracted by their Starbucks carmel macchiatos at the time this was coming down?

A clear instance of international crime/terrorism and NSA was asleep at the wheel.

Re: POS

[ChromaticDragon]

I am curious regarding your information. Got source?

Last I'd heard, the expected sum of lawsuits, settlements, fines, etc. would be WELL over $100mil (as in several times that). Apparently, for reference, a similar breach, TJ Maxx, ended up being closer to $200mil.

Furthermore, it seems Target was self-insured for this. So it isn't quite correct to think they will glibly had this bill to an insurer - they ARE their own insurer.

PCI compliance?

[NynexNinja]

Target suffered similar data theft in 2005, and now again in 2013. By storing cardholder information, CVV's and (worst) PIN's in the clear, they obviously are not PCI DSS compliant. If this happened to any other retailer, Visa would revoke their PCI compliance status. If nothing happens regarding their PCI compliance status, what does it say about PCI compliance in general? PCI compliance is nothing but a joke, not to be taken seriously. Why even go through the work and trouble to get PCI DSS certified if companies like Target can flout the rules and get away without any penalties.

Re: POS

[Megane]

The thing that bugs me most is that they were on a network that was routed to the entire internet. Yeah, I don't think a POS terminal needs to be able to check Google or Facebook, much less "chernyykhod.ru". Even simply putting them on a VLAN with a very restrictive firewall to the public internet would have avoided the problem. And a RFC-1918 network doesn't count if it's behind a NAT router, since these packets went outbound from the POS. Belt and suspenders.

Re: POS

They might care, but I can bet their solution will be more bureaucracy rather than better technology. There are likely IT people within the company that see the problems and know how to fix them but they will be ignored. CxO types hate those annoying IT people that are always complaining about security. They will bring in a solution sold by a slick sales person at a major company.