The rising figures in the Target data breach have proved that it is important to know what has happened, how it happened and what was taken in such an event.
The breach, which was reported in December and suspected to have compromised up to 40 million payment cards, was later suspected to have affected up to 70 million users. A statement from Target, hosted by Brian Krebs, said that this was “uncovered as part of the ongoing investigation.”
“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach,” the company said.
Krebs said that while much of the data is partial in nature, in cases where Target has an email address, it will attempt to contact affected guests with informational tips to guard against consumer scams.
Jason Hart, VP Cloud Solutions at SafeNet, said that the size of this breach should serve as anotherwake up call to the industry, especially encouraging organisations to think about the way that encryption is implemented.
“Whilst the payment information taken in the Target breach was encrypted, immediately reducing the impact of the breach, it is clear that data cannot be encrypted in isolation. Right now, companies encrypt to be compliant with numerous data breach regulations, such as PCI-DSS. However, as with most compliance regulations, PCI-DSS only mandates a lowest common denominator-level of security and more protection is required,” he said.
“Organisations now need to move beyond basic regulations and ensure that they are securing data throughout its whole lifecycle. This means securing data at the application layer (such as point-of-sale terminals), while it is in transit or motion, and when it is stored.”
The other angle around the Target attack and breach, was a suspicion that it had in fact affected up to 110 million users. According to Threatpost, Target’s manager of public relations Molly Snyder said that while there may some overlap between the two groups (of 40 million and 70 million), it did not know the extent.
Phil Lieberman, CEO of Lieberman Software, said that the only people that should be concerned are those that used their cards at Target, as there will probably be no material effect on Target o
r their stock value.
“Target will probably provide the required mea culpa and go back to spending a minimum amount of money on IT and security and not really worrying much about the security of their customers (but publicly stating otherwise),” he said.
“The common industry practice in retail (and many other industries and services) is to spend the absolute minimum amount of money on security and IT in retail as well as outsource as much of their work as possible to the least cost vendor(s). In security, you generally get what you pay for.”
This week it was reported that Target plans to spend $5 million in a multi-year campaign to educate the public on the dangers of scams, working with the National Cyber-Forensics and Training Alliance (NCFTA), National Cyber Security Alliance (NCSA) and Better Business Bureau (BBB). A Target statement said: “Target will learn from the experts at these organisations who best understand the complexities and growing challenges associated with cyber security – particularly phishing scams – and how to educate consumers in trusted, accessible and understandable ways.”
As detailed by IT Security Guru, there was malware on the Target point of sale systems, and this reduces the ability to use the term “attack”. Chris Wysopal, co-founder and chief technology officer or Veracode suspected that the malware used was likely customised for the type of point of sale terminals that Target uses.
“At least part of Target’s network must be compromised. For the TJ Maxx attack the attackers got in through insecure wireless networks. That’s not likely how they did it here, more likely it was a phishing attack or they got in through an insecure web application,” he said.
I suspect it will be some time before we see the end of this story. We’ve had the announcement of the breach, the delayed announcement of the breach, the stories that it is almost double or treble the number of users affected and the discussion on how it was done. Next it is the challenge on repairing a spiraling problem, undoubtedly pushing the PR time into overdrive and overtime.