Meetup Vulnerabilities: Escalation of Privilege and Redirection of Funds

Black Friday Breach Nightmare: At Least 45 Million Target Customers Affected

Target’s famous bullseye logo attracted some malicious arrows over the holiday shopping season as the national retail chain was the target of a major data breach that may be much more serious than first thought as details emerge.

The data breach will potentially affect hundreds of thousands, perhaps millions, of Target customers that shopped in-store at any of the American retail giant’s 1,800+ locations in the U.S. and Canada between Black Friday and December 15th. Brian Krebs, who first reported on the story on his blog, spoke with several sources that corroborated the same story: Target is currently working with the Secret Service to determine the perpetrators, cause, and outcome of an incident in which the data stored on customer’s magnetic card stripe was stolen.

Multiple sources from top credit card issuers who spoke with Krebs and the Wall Street Journal said they believed that the hack may have affected around 40,000 card devices at Target stores nationwide. The incident potentially affects the millions of credit and debit cardholders that shopped there over the past three weeks while the cyber theft was occurring undetected.

Target issued a statement via its website, stating:

“We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013….We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code). “

In response, Target is partnering with a forensics team for deeper investigations and putting their “full resources behind these efforts.” They’re recommending customers to review their  credit and debit card statements and check for any fraudulent activity. Target customers who shopped within the affected time period should also obtain credit reports from credit reporting agencies.

Estimates put the affected Target customer count at 45.7 million at least. One of the anti-fraud analysts Krebs spoke with indicated that this breach may be one of the largest retail breaches to date, possibly overtaking the TJ Maxx data breach. That incident, which was first discovered in 2007, claimed at least 46 million customers as victims of the credit card data breach over a period of 18 months.”

Brian Leary, a representative for the Secret Service confirmed to the Wall Street Journal that the Service is indeed investigating into the attack, but could not offer additional details as the investigation is ongoing. The Secret Service will oftentimes help with large-scale financial breach investigations like this one. Part of the Secret Service’s mission is to keep the country’s massive financial frame and payment systems relatively free from these sorts of malicious attacks.

Data stored on the card’s magnetic stripes can be reused to create counterfeit cards with machines that cost no more than $25. The outdated technology behind the magstripe, designed in the 60s, has struggled to survive in a world of increasingly advanced technology. The U.S. is the only advanced economy still using magstripes, while every other member of the G20 countries uses newer technologies like smart chips.

CC collage

Reports of magstripe data thefts have increased in recent years as the stripe stays insecure and vulnerable to attack. This past May, for example, one of the biggest ever ‘bank robberies’ came to light, which saw a total of $45 million stolen from ATM’s worldwide in just a few unified stings across two dozen different countries. It was a complicated heist, also investigated by the Secret Service, that involved first infiltrating an Indian company that processes credit-cards and stealing the details of Visa and MasterCard prepaid debit cards. After creating homemade debit cards using the stolen data, the hackers then raised the withdrawal limits on the cards and simultaneously withdrew huge wads of cash at ATMs all over the world.

Jump to Category