US retail giant Target has confirmed it was the victim of a two-week-long attack that may have compromised approximately 40 million credit and debit cards and CVV codes, as well as customer names.
Target officials said the issue – which affected customers who made in-store card purchases in the United States between November 27 and December 15 – had been identified and resolved.
In response to learning of unauthorised access to card data, the retailer alerted authorities and financial institutions, as well as hired a forensics firm to investigate the matter and provide tips on how to best prevent similar issues in the future.
Officials with Target have yet to reveal details into exactly how attackers were able to obtain the card information, but security experts and researchers believe that point-of-sale (POS) devices were compromised by the hackers.
“It is speculation at this point, but it seems likely that either there was a compromise on the POS equipment itself – across many stores – that was delivered via the network, or that their network was hacked upstream and card information diverted to the bad actors,” Cameron Camp, security researcher with IT security company ESET, told SC Magazine on Thursday.
Some experts opined that malware was installed on the POS devices, but on her blog, Avivah Litan, vice president and distinguished analyst at research firm Gartner, suggested that a myriad of security controls and adherence to PCI makes that scenario unlikely.
“My guess is that the data was stolen from Target's switching system for authorisation and settlement,” she wrote.
Julian Waits, CEO at ThreatTrack, told SC that Target did not seem to be careless and that this incident really underscores how vulnerable most retailers are to these kinds of coordinated data thefts.
“The hackers' working hypothesis is that if they can topple one retailer, they can tumble the others using the same penetration method,” Waits said. “The same holds true for POS systems. There is so much standardisation in POS systems, credit card processing and security measures that hackers think once they successfully execute an attack on one major retailer, they can exploit all retailers using the same methods, such as a POS botnet attack.”
Conversely, Rajat Bhargava, CEO of cloud server management company JumpCloud, told SC that he believes Target has not been transparent with impacted customers.
“Target has not been forthcoming as of yet and that is a problem for people trying to understand what they should do,” Bhargava said. “It appears that internally they are taking it seriously and assembling the right team with forensic experts, law enforcement, and other crisis experts.”
For now, security experts and officials with Target are encouraging customers to monitor their accounts closely for any fraudulent activity.