Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated.
Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed.
A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs.
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach” according to Target’s statement. “This theft is not a new breach, but was uncovered as part of the ongoing investigation.”
The new revalation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released.
Most analysts and news outlets have blamed the breach on either the security of Target’s Windows-based Point-of-Sale systems or the company’s failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS).
In its admissions up to this point, Target has said that the stolen data consisted of card numbers and encrypted PIN numbers. That implied only “track data” from the magnetic stripes on cards was stolen, probably from databases fed by the POS systems or malware that recorded the data in motion as purchases were made, according to a Dec. 31 analysis of Target’s apparent PCI compliance level by security site HackSurfer.
Most of the analysts cited by HackSurfer and other security sites focus on the possibility that the breach was accomplished using skimmers to steal track data as cards were swiped, that malware or direct penetration from outside gave thieves access to stored track data, or that the POS systems were compromised in other ways.
“Guest information” such as emails, phone numbers and street addresses isn’t stored with the track data, however, according to both PCI rules and Target’s admission that the theft of guest information was separate from the theft of track data, though related to it.
That raises the number of compromised accounts to 110 million, not 70 million – 40 million cards and 70 million “guest” accounts from a separate system.
There may be some overlap between the two groups of compromised accounts, Target spokesperson Molly Snyder told NBC News Jan. 10, but provided no other detail about how the two data sets are related or what it means about the source of the attack.
She admitted to The Washington Post, however, that the attack may well have affected more than 100 million customers, not 70 million, as today’s announcement implied.
The new revelations also say nothing about Target’s own security or methods used by the attackers.
A new, tighter version of the PCI rules (PCI DSS 3.0) went into effect Jan. 1, 2014, but the sketchy information Target provided immediately following the breach made it “hard to believe they were even PCI 2.0 compliant at the time of the breach,” Nick Aceto, technology director at PCI security vendor CardConnect told USAToday Dec. 23.
The breach remained open for 18 days, but PCI DSS requires that merchants check their logs and firewalls every day to look for unusual activity, Aceto said.
“This monitoring involves file integrity checks and changes to critical systems files,” Aceto told USA Today. “Unusual activity isn’t always abnormal, but the point of PCI is to monitor and verify that all activity is normal, while not letting distractions – like busy shopping days… detract from the monitoring effort.”
Target has still not revealed enough information to give any idea about who launched the attack or how, but the size and apparent sophistication of the breach itself is enough to put a chill into both the retail and IT security industries, according to Avivah Litan, a fraud and security analyst at Gartner who was quoted in the Washington Post story Jan. 10.
“It’s a little frightening,” Litan told the Post. “These bad guys are getting into some of the most secure retailers’ networks and I’m sure it’s not going to stop at Target. We need a fundamentally different paradigm here for how we manage security…It’s kind of getting out of control.”
Image: Shutterstock.com/ Ensuper /Target