Rising impact of Target breach indicates deeper hack into systems

Target has found that 70 million more people had personal information stolen in the security breach discovered last month, and experts say the type of data taken indicates the hackers went deeper into the retailer's network than previously thought.

[CSO's guide to the Target data breach]

Target said Friday that names, mailing addresses, phone numbers or email addresses were also taken during the holiday shopping season. The retailer had said in its original disclosure Dec. 19 that debit or credit card numbers of 40 million accounts were stolen.

In the latest update, Target said the stolen information belonged to "up to 70 million individuals," which amounts to more than a fifth of the number of people living in the U.S. How many of these people actually become victims of fraud as a result of the hack remains to be seen.

Meanwhile, security experts say the differences in the kind of data stolen in the first and the second announcement indicate that the hackers broke into two separate systems.

Based on what Target has said, the card data was taken from its computerized cash registers, called point-of-sale systems in tech jargon, which would not have the other information the retailer says was stolen.

"It looks like these are two completely separate systems," Chris Camejo, director of assessment services at consultancy NTT Com Security, said. "The names, phone numbers, email addresses, that's coming out of a completely separate database somewhere else."

Sol Cates, chief security officer of data security vendor Vormetric, said the hackers could have started with the POS system and then searched for access to a database feeding customer information.

"I would not be surprise to find out that they were either querying, or interacting with, a centralized DB that could have been compromised as well," Cates said. "The fact that they were able to implement their attacks down to the POS system means that they were able to traverse many other paths and services that would have leveraged or serviced those POS systems."

Target says all of the information was stolen during the same security breach.

These types of discoveries are not unusual during computer forensics following a breach, experts say. Hackers are often found to have done more damage than originally thought, and the amount of data believed taken typically rises during the investigation.

[Inside knowledge likely in Target breach, experts say]

For example, the 2007 data breach at TJX, which owns T.J. Maxx, Mashalls and HomeGoods, started with information taken from almost 46 million credit-card accounts, which later grew to 94 million. Fraud-related losses from Visa cards alone ranged from $68 million to $83 million.

"I would expect the number of impacted cardholders could still yet increase as the forensic analysis continues," Paul Henry, a senior instructor in forensics with the SANS Institute, said.

In terms of the impact on Target customers, experts were more concerned with the type of data described in the retailer's latest update than in the original disclosure about card numbers.

That's because the issuer usually absorbs the fraudulent charges on debit and credit cards. The other information stolen could help criminals build profiles on individuals, who can then be impersonated while applying for loans or filing a bogus tax return for a refund.

"If you find out that the (Internal Revenue Service) has given a refund to someone else in your name, you're looking at months of working with the IRS and waiting for them to work through the backlog of these cases," Neil Chase, spokesman for LifeLock, an identity theft protection company, said.

Target expects to suffer losses from the breach. In an updated forecast for the fourth quarter 2013, the company said financial results may include charges related to the hack, but was not yet able to estimate the cost. The charges could include reimbursement for card fraud and legal expenses resulting from lawsuits.

The company also reported "meaningfully weaker-than-expected sales" following the announcement of the breach, which occurred at the height of the holiday shopping season.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecurity

More about CSOInternal Revenue ServiceIRSIRSNTT AustraliaSANS InstituteVisaVormetric

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts