Retail giant Target has become the victim of a more than two-week-long attack that may have compromised approximately 40 million credit and debit cards and CVV codes, as well as customer names.
The retailer did not yet announce which of its nearly 1,800 U.S. stores were impacted in the attack, but officials did declare that the issue – which affected customers who made in-store card purchases between Nov. 27 and Dec. 15 – had been identified and resolved, according to a post on the Target website.
In response to learning of unauthorized access to card data, the retailer alerted authorities and financial institutions, as well as hired a forensics firm to investigate the matter and provide tips on how to best prevent similar issues in the future.
Officials with Target have yet to reveal details into exactly how attackers were able to obtain the card information, but security experts and researchers believe that point-of-sale (POS) devices were compromised by the hackers.
“It is speculation at this point, but it seems likely that either there was a compromise on the POS equipment itself – across many stores – that was delivered via the network, or that their network was hacked upstream and card information diverted to the bad actors,” ESET researcher Cameron Camp told SC.
Some experts opined that malware was installed on the POS devices, but on her blog, Avivah Litan, vice president and distinguished analyst at research firm Gartner, suggested that a myriad of security controls and adherence to PCI makes that scenario unlikely.
“My guess is that the data was stolen from Target's switching system for authorization and settlement,” she wrote.
ThreatTrack CEO Julian Waits said the incident underscored retailers were vulnerable to coordinated data theft.
“The hackers' working hypothesis is that if they can topple one retailer, they can tumble the others using the same penetration method,” Waits said. “The same holds true for POS systems. There is so much standardization in POS systems, credit card processing and security measures that hackers think once they successfully execute an attack on one major retailer, they can exploit all retailers using the same methods, such as a POS botnet attack.”
JumpCloud CEO Rajat Bhargava said Target was not transparent with impacted customers.
“Target has not been forthcoming as of yet and that is a problem for people trying to understand what they should do,” Bhargava said. “It appears that internally they are taking it seriously and assembling the right team with forensic experts, law enforcement, and other crisis experts.”
For now, security experts and officials with Target are encouraging customers to monitor their accounts closely for any fraudulent activity.