Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
http://www.nytimes.com/2013/12/20/technology/target-stolen-shopper-data.html?_r=0SAN FRANCISCO — Target confirmed Thursday morning that it was investigating a security breach involving stolen credit card and debit card information for 40 million of its retail customers.
Target’s announcement came one day after a security blogger, Brian Krebs, first reported the breach. In a statement, Target confirmed that criminals gained access to its customer information on Nov. 27 — the day before Thanksgiving and just ahead of one of the busiest shopping days of the year — and maintained access through Dec. 15.
The DOJ declined to comment on whether it's investigating Target, the nation's second largest discounter.
Target also said that it's teaming up with the U.S. Secret Service in its own investigation. Target said the Secret Service has asked the company not to share many of the details of the probe.
Additionally, Target said that it held a conference call with the state attorneys general on Monday.
The investigations and the call come after Target said earlier this week that data connected to about 40 million credit and debit card accounts was stolen that began over the Thanksgiving weekend.
Target steps up breach investigation with Justice
Target Says Data Was Stolen From 40 Million Shoppers
http://www.nytimes.com/2013/12/20/technology/target-stolen-shopper-data.html?_r=0SAN FRANCISCO Target confirmed Thursday morning that it was investigating a security breach involving stolen credit card and debit card information for 40 million of its retail customers.
Targets announcement came one day after a security blogger, Brian Krebs, first reported the breach. In a statement, Target confirmed that criminals gained access to its customer information on Nov. 27 the day before Thanksgiving and just ahead of one of the busiest shopping days of the year and maintained access through Dec. 15.
Target said an investigation found that hackers stole the personal information of at least 70 million customers, including names, mailing addresses, telephone numbers and email addresses. Previously, the No. 3 U.S. retailer said the hackers stole data from 40 million credit and debit cards. The two sets of numbers likely contained some overlap, but the extent was not clear, according to Target spokeswoman Molly Snyder. She said some of the victims did not shop at Target stores during the period of the breach, between November 27 and December 15, and that their personal information was stolen from a database. "I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Target Chief Executive Gregg Steinhafel said in the statement on Friday.
Attorneys general from New York, Connecticut, Massachusetts and Minnesota said they were joining a nationwide probe into the security breach. A source familiar with the joint probe said more than 30 states were involved. "A breach of this magnitude is extremely disconcerting and we are participating in a multi-state investigation to discover the circumstances that led to this breach," Massachusetts Attorney General Martha Coakley said. Security experts said the stolen payment card data could be used to fabricate false magnetic strip credit cards. And the personal information could be sold on underground exchanges for use in email "phishing" campaigns, aimed at persuading victims to hand over even more sensitive information, such as bank account numbers. "I think they still have no idea how big this is," said David Kennedy, a former U.S. Marine Corps cyber-intelligence analyst who runs his own consulting firm, TrustedSec LLC.
Target lowered its fourth-quarter profit forecast, in part due to weaker-than-expected sales since reports of the cyber-attack emerged in mid-December. Target shares closed down just over 1 percent to $62.62, hovering near a year-low. The largest known breach at a U.S. retailer, uncovered in 2007, was at TJX Cos Inc, operator of the T.J. Maxx and Marshalls chains, where more than 90 million credit cards were stolen over about 18 months.
On Friday, Neiman Marcus revealed it too had been the victim of a security breach. The high-end department store was informed by its credit-card processor in mid-December of possible unauthorized card activity that followed customer purchases at Neiman Marcus stores, spokeswoman Ginger Reeder said. A subsequent investigation turned up evidence on January 1 of a "criminal cybersecurity intrusion" that may have compromised an unknown number of customers' cards, the company said. Neiman Marcus, owned by the Canada Pension Plan Investment Board and private equity firm Ares Management LLC, is still investigating and said it did not know at this time how many customers may have been affected. Nor was it immediately clear whether it was linked to the Target incident.
FRAUD REPORTS GROWING
A California cybersecurity firm's assertion that a Russian teenager authored the malware behind the massive Target data breach during the holidays was disputed Sunday by the Internet security blogger who broke the Target story. IntelCrawler, based in Los Angeles, said late Friday that a teenager "close" to 17 years old authored the malicious software and reportedly sold it for about $2,000 to dozens of cybercriminals in Eastern Europe and other countries. Brian Krebs, a widely followed Internet security blogger and former Washington Post reporter, disputed that information in an interview and on Twitter. "We don't think we are wrong," IntelCrawler president Dan Clements responded Sunday.
While IntelCrawler says the teen allegedly authored the malware, it doesn't allege that he perpetrated the breach. Clements says IntelCrawler's CEO did a report on the malware, known as BlackPOS, earlier last year and the teen was identified then as the author and allegedly is a well-known programmer of malicious code in the underground world. Target, the nation's second-largest retailer, has apologized for the security breach, which it said affected up to 110 million shoppers. The same malware may have been involved in a similar but far smaller attack on luxury retailer Neiman Marcus around the time, IntelCrawler says. The retailer has not said how many customers were affected by its breach.
The retailers had no further comment on the incidents Sunday. The Department of Homeland Security did not respond to inquiries. The software reportedly enabled the thieves to remotely hack into Target's computer systems and obtain customer credit card numbers and other information, which was then sent back to a computer controlled by cyber thieves. State and federal officials, including the Secret Service, have launched an extensive investigation into the breaches.
Doubts raised over ID of Target malware author
One of their favorites: Verifone Systems Inc, a $3.2 billion market cap company that is one of two major global manufacturers of point-of-sale terminals and mobile payments systems and could profit from any major upgrades of payment technology. Analysts at JPMorgan Chase and Jefferies & Co upgraded their outlook for the company in the last 10 days, helping send its shares price up about 25 percent since the Target breach was first reported on December 18. Yet for its shares to continue to rally, Verifone must prove to analysts and portfolio managers it has taken steps to right its own ship after several years of choppy performance.
That question mark is a product of several years of poor acquisitions and a history of missing earnings estimates that left the company's shares down more than 20 percent for the year just before the Target breach become public - in a bullish year for stocks. It hangs over the company as a new wave of credit card technology looks poised to finally make inroads in the U.S. after being the standard in Europe for years. "Verifone has a tremendous and recently unappreciated position in the industry, yet it's kind of a messy place. The new management team looks great, but this is like waiting for Godot," said Jeffrey Bronchick, whose $56.3 million Cove Street Small Cap Value fund has one of the best performances in its category over the last three years, according to Morningstar data. In the Samuel Beckett play, two characters wait endlessly for Godot, who never shows up.
Verifone declined to make executives available for this article. Bronchick said that he sold his position in the company during its recent rally in large part because, at approximately $29 a share, its stock price looks expensive. The stock trades at a forward price-to-earnings ratio of 19.5, which is well above the approximately 16 times multiple of the broad market. "The stock is reflecting a seamless next two years and I think there's little likelihood of it," he said.
TECHNOLOGY UPGRADE
If that was, in fact, how they pulled it off - and investigators appear to be looking at that theory - it illustrates just how vulnerable big corporations have become as they expand and connect their computer networks to other companies to increase convenience and productivity. Fazio Mechanical Services Inc., a contractor that does business with Target, said in a statement Thursday that it was the victim of a "sophisticated cyberattack operation," just as Target was. It said it is cooperating with the Secret Service and Target to figure out what happened. The statement came days after Internet security bloggers identified the Sharpsburg, Pa., company as the third-party vendor through which hackers penetrated Target's computer systems.
Target has said it believes hackers broke into its vast network by first infiltrating the computers of one of its vendors. Then the hackers installed malicious software in Target's checkout system for its estimated 1,800 U.S. stores. Experts believe the thieves gained access during the busy holiday season to about 40 million credit and debit card numbers and the personal information - including names, email addresses, phone numbers and home addresses - of as many as 70 million customers. Cybersecurity analysts had speculated that Fazio may have remotely monitored heating, cooling and refrigeration systems for Target, which could have provided a possible entry point for the hackers. But Fazio denied that, saying it uses its electronic connection with Target to submit bills and contract proposals.
The new details illustrate what can go wrong with the far-flung computer networks that big companies increasingly rely on. "Companies really have to look at the risks associated with that," said Ken Stasiak, CEO of SecureState, a Cleveland firm that investigates data breaches. Stasiak said industry regulations require companies to keep corporate operations such as contracts and billing separate from consumer financial information. Stasiak emphasized that the thieves would have still needed to do some serious hacking to move through Target's network and reach the checkout system.
Chester Wisniewski, an adviser for the computer security firm Sophos, said that while it may seem shocking that Target's systems are that connected, it is a lot cheaper for a company to manage one network rather than several. He added that while retailers are supposed to keep consumer information separate, they are not required to house it on a separate network. Still, he said he was extremely surprised to hear that the hackers may have gotten in via a billing system, saying those kinds of connections are supposed to provide extremely limited access to the other company's network.
MORE
