As some of you probably know, or perhaps even have been affected, American retail giant suffered massive security breach as much as 40 millions might have suffered form their credit and debit card data stolen. As reported by KrebsOnSecurity, hackers gained access to company’s data infrastructure. What’s worth of interest is that theft did not affect online shopping, but actual in store operations as data from magnetic strips – if attackers managed to also intercept pin numbers they might be able to recreate cards and siphon money straight from ATM’s. Yesterday the official statement has been issued by company’s CEO Gregg Steinhafel.
First of all it has to be said that disclosure was made quite quickly (the breach occurred between November 27 and December 15) however it is also guide vague. To what extend timing of the statement was determined by good policy and not because of industry regulation – I leave that for you to consider. Furthermore given how recent it all happened there is probably much more to uncover. As for actual content main points that stands out are:
- there is no indication of PIN codes being stolen
- time frame has been officially confirmed as mentioned to 27 of Nov – 15 of Dec, also Canadian stores have not been affected
- ‘Even if you shopped at Target during this time frame, it doesn’t mean you are a victim of fraud’ – ie the actual scope of damage is yet to be known
Especially last point is important. As with every massive leas of data, be it Playstation Network or GE money backup tape affair it is hard to estimate actual damage that will result. Reason for this is that there are many factors to be taken into account – what is the scope of breach beyond the point-of-sales (perhaps PINs were intercepted prior to the attack), what percentage of the data will float on black market, how successful customers will be in damage control and finally what Target will do to protect clients. Because Target is apparently much better prepared for catching criminals then most of the mayor retailers. It is known that company has high end forensic laboratory, which provides help for law enforcement agencies in the US.
Finally let’s concentrate a bit on development of the scenario of attack. First reports indicated that hackers managed to gain physical access to the PoS terminals and infect them with malicious software. Soon after comment appeared which suggested that this kind of breach is nigh impossible, given that attacks occurred at crowded retail stores flooded with security cameras, including ANPR capable ones on the parking lots. Furthermore some stores includes cell phone monitors with ability to track down mobiles by MAC number when bluetooth is on. And that’s not even getting to the complexity and sophistication of PCI security standard. Bottom line – the terminal angle theory is feel-good fairy tale for customers, and one that lets avoid embarrassment of 36th biggest company in US getting their central database breached. So what happened according to poster? Breach of wireless network, which due to poor internal architecture allows access to any node in the company network. Worth pointing out is that wireless attack was the cause of TJX data leak.
As reported by Brian Krebs card data has already hit the black market. What will be scope of losses and will the attackers get caught is surely yet to develop.