The Target breach is nowhere near over. During their forensic investigation, Target has now found that at least 70 million customers, much higher than the original 40 million estimate, were affected. The new estimate may be a separate cache from the original number, and this data including a mix of mailing addresses, names, numbers and emails, so when all is said and done, personal info of up to 110 million customers, a third of American adults, could have been taken.
It’s been nearly a month since Target admitted to the data breach that left customers’ credit card details at risk. It’s had quite the snowball effect, inflicting damage on different groups, primarily Target, the customers, and the security industry. Let’s take a look at some of the various effects to arise since the Target fiasco.
The Security Industry:
In the wake of the breach, much has been made of the fact that the US continues to stick with the magnetic stripe credit cards instead of switching over to ‘smarter’ cards that have proven harder and more expensive for hackers to crack, as other technologically-savvy countries have done. Canada, the U.K. and Hong Kong have already done the switch over to cards with embedded microchips. The Target incident may be enough to push the big credit card companies to begin their plans to do the big switch early.
Another issue has been the amount of data companies like Target (and now Neiman Marcus) attain and keep, needlessly, and the lack of security between systems, especially with regards to Point of Sale systems which in secure practice should be uncommunicative with each other. With the most recent figure of data hacked, a wider range of information was taken. It includes information collected during routine calls to customer service and when shopping online, which most likely indicates different data systems were intercepted in the breach.
Now the security industry is both left answering and asking themselves how the Target breach was able to happen in the first place, and how many other companies are in a similar position with regards to security practices in commercial businesses? As more companies realize the real risk of not being both PCI compliant and secure, the security industry and corporate world will hopefully be answering that question in a proactive way.
Since they released the statement admitting to the data breach, Target has been floundering with regards to customer relations and media coverage. Article after article (ahem) has been written about the incident, which was second in the number of customers impacted only to the 2007 TJX breach (46 million affected)and may end up taking first place, and new details and victim responses keep the story in the media. As of right now there are many questions but very selective answers, so it’s a sure bet Target has not had its last day in the papers.
At least three class-action lawsuits have already been filed in the wake of the breach, seeking a total of over $5 million in damages. Attorney Generals in several states have also demanded Target answer vital questions pertaining to how victims were notified of the breach and how the incident occurred. There’s also a possibility that the banks will sue the retailer in order to get reimbursed for the losses they’re bound to face.
It’s still not certain who will ultimately pay the bill on what’s bound to be a very costly incident. For comparison, the TJX breach ended up costing $256 million including the lawsuits and security upgrade costs, so while Target will ultimately survive, it’ll hurt if they’re responsible for the whole cost of recovery. It all comes down to the query of whether or not Target was negligent in the security of customer data, one of the many puzzle pieces still being put together by a flurry of forensic analysts and the Secret Service.
Between not all victims being informed about the situation, not knowing whether the CVV data and PIN numbers had been decrypted (or encrypted properly in the first place), and dealing with an assortment of bank issues, customers have been inconvenienced in a number of ways and have been understandably frustrated. Luckily, they won’t be burdened much by finances when all the lawsuits and reimbursements for any fraud that occurs are said and done. Target has also announced it will be funding a year of credit checks and services to ensure customers continued safety in light of the situation, though as Brian Krebs pointed out, identify theft, which is possible with the amount of data obtained, is not as easy to uncover and not as cheap an issue to resolve.
Target CEO, chairman and president, Gregg Steinhafel, admitted to the mess in their release, writing, “I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this.”
The just-discovered victims will only be notified by email next week so there will be other as-of-yet unknown issues that will arise. Since the new information included personal identifying information such as home addresses, emails and phone numbers, as opposed to mostly anonymous card details, there is the risk of other malicious intents. Phishing scams, harassment and identity fraud, are just a few of the new dangers posed to these customers.
Customers have dealt with various financial consequences, mostly depending on their bank. Some banks began blocked or clipped customer transactions, forcing those people to pay with cash or check during the holiday season, where credit cards are almost essential. Chase is taking measures one step further, issuing brand new cards to each of their two million affected customers.
Hackers are currently working overtime trying to decrypt a 50GB data dump of encrypted PIN’s, working together in forums. Though the message boards don’t say where the PIN numbers came from, it’s without a doubt that the overwhelming majority would come from Target customers. The Triple DES (3DES) encryption is apparently vulnerable to brute-force attack, Andrew Komarov, CEO of IntelCrawler, told SCMagazine. The weak encryption means that identical PINs are encrypted identically, and with a little field work, hackers can fairly quickly figure out the numbers of all PINs encrypted the same way. Customers will need to continuously monitor their credit or debit card bills and be on the look-out for potential phishing scams.
Lessons Learned – Or That Should Be
The Target breach needs to be a teaching lesson for any business and any consumer. The number one lesson for consumers would be: Your data is sacred. Not every company treats it as such, so be very wary of what you disclose. The number one lesson for businesses is: Customer data is sacred and should be treated as such, with proper care, strong encryption and quick disposal. Of course it’s not that simple, but it’s the fundamental base to building a secure business.