Target US has confirmed attackers planted malware on its point of sale devices, resulting in the theft of some 40 million credit and debit cards and 70 million personal records.
The retail giant had been tightlipped on how hackers stole its customers' financial and personal data until hours ago when chief executive officer Gregg Steinhafel admitted malware was installed on its payment terminals.
Target said it did not know the full extent of how the breach was launched or who was behind the attacks and was working with law enforcement agencies to investigate.
The anonymous sources also said other major US retailers were affected in the same wave of attacks, including Neiman Marcus.
The RAM scraping tools allowed attackers to obtain cleartext financial data by capturing it from live memory, therefore avoiding the need to break encryption.
Researchers have told SC Magazine they were tracking cyber crime groups in a bid to determine where the credit cards were being sold off but to date noone has concretely identified the alleged offenders.
Research outfit IntelCrawler claimed a series of posts in cybercrime forums asking for help to crack the 3DES encryption protecting the compromised PINS may be linked to the huge credit card haul.
The company's head Andrew Komarov also suggested the Target raid had similarities with the infamous Heartland Payments breach, which was the largest financial data breach in history.
"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breeches (sic). In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," Komarov said in a blog post.
He did not respond to a request for more information to support his claims.
Alex Holden, chief security officer of US breach consultancy Hold Security told SC credit cards thieves have been much more active in recent months.
"Over the past month we definitely have seen much higher volume of activities on the carding scene," Holden said.
"However, I am of an opinion that by design the PIN numbers are significantly more secure because of the complexities of encryption."
Initial reports of the Target breach pegged the number of compromised credit and debit cards stolen during the three-week attack at a few million.
Over the ensuing weeks, that number has tipped 40 million, and now includes the names, mailing addresses, phone numbers and email addresses of up to 70 million individuals which was stolen in a separate but connected hack.
Target said much of the information is “partial in nature" adding it would attempt to contact affected individuals.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Steinhafel said in a statement Saturday.
The company is unable to estimate any costs associated with the breach, according to the release, which may include, “liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities.”