During the Black Friday shopping week, tens of millions of credit and debit card records were "phished" out of Target. The data breach was nationwide, and has extended for as far as December 15th. The type of data that was stolen is called "track data" which allows the hackers to create counterfeit cards, and if they have PIN information for debit cards, they could even withdraw cash from ATMs.
The whole thing is being investigated by the Secret Service so I'm sure that more information will come available during the coming weeks. This is a monster data breach, and if you look at the level of sophistication, you can only conclude this is the eastern European cyber mafia at its best.
The hackers were able to get into the physical card swipe equipment at the stores themselves, and intercepted the swiped card data at the hardware level before it was encrypted. This is unheard of sophistication, shows a long-term preparation phase, Target's network was compromised for an extended period, and a planned attack that was executed with almost military precision. That's an Advanced Persistent Threat (APT) if I've ever seen one, you almost have to admire the bad guys for pulling off a perfect cyberheist like this.
So how did they get into Target's network? I'm willing to bet $100 that they sent a spear-phishing attack and social engineered someone in Target's development team, penetrated their development servers, and methodically wormed their way down to the level of the card scanners so that they could insert malware into those devices. Wow, these bad guys are good. Think about this for a moment, now other cybercriminals know that this can be done.
This is a breaking story, so more data will hit the media soon. If you or a family member have made any purchases at Target the last few weeks, do this:
- Make a hard-copy of all credit card statements for cards you may have used at Target. Monitor your statements going forward, online if you can, and call them if you see any unauthorized charge.
- If you did shop at Target these last few weeks. I would call your credit card company right now, check all charges from the last few weeks with their customer support rep and ask for a new card.
- If you want more info the PrivacyRights Clearinghouse is a trustworthy source of steps you can take now.
- The FTC is the best place for information on what to do and who to contact if you think your credit or debit card has been compromised.
Now, this will be fantastic fodder for lawyers who will start trolling for people that are part of the inevitable class action lawsuit. Expect TV ads that encourage you to call an 800 number to see if you are eligible for damages. And you will get a letter from Target with more details of this incredible data breach. This is incredibly expensive for Target.
And mark my words, highly likely this could have been prevented with effective security awareness training!
Anybody taking me up on my $100 bet?