Almost all Target locations nationwide appear to be affected, according to Krebs, though the breach didn’t impact online purchases. The data stolen was track data, the information stored on a credit card’s magnetic strip, which can be used to create counterfeit credit cards.
In a statement acknowledging the breach, the company explained, “We began investigating the incident as soon as we learned of it. We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV.”
A source at a data breach investigation firm told Krebs that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”
According to Gidi Cohen, CEO of Skybox Security, this was clearly a well-planned attack. “Given the timing — the height of the holiday shopping season — the attackers chose a time period where they could inflict the maximum damage and gain access to a wealth of financial information,” he said.
“If you’re a criminal, mounting an attack on a large retailer like Target at this time of year makes a lot of sense because you’re likely to steal data from a larger number of cards in a shorter period of time than during any other period,” ESET senior security researcher Stephen Cobb said. “There is also a lively underground black market for stolen card details which means the thieves may be able to achieve a quick turnaround on their investment.”
Needless to say, this is going to be expensive for Target. “According to current averages — about $200 per record — the 40 million cards could cost Target upwards of $8 billion or more to deal with this,” Neohapsis principal security consultant Erik Bataller said. “And that doesn’t include the possible impact to the 40 million customers directly.”
And in a recent blog post, Gartner analyst Avivah Litan suggested this may well have been an inside job. “I’m not so sure it was due to a piece of malware inserted remotely by a clever hacker,” she wrote. “I recently heard a couple of high placed secret service officers say that the Heartland Payment Systems breach — the largest breach in history where 130 million payment cards were compromised — was actually executed by Albert Gonzales in a very low tech manner. These agents said Gonzales was working at Heartland as a call center employee and simply walked out with the sensitive payment card data every day on a USB drive. … If we’ve learned anything from the Snowden/NSA and Wikileaks/Bradley Manning affairs, it’s that insiders can cause the most damage because some basic controls are not in place.”