A few days before Christmas the US retail giant Target revealed that payment details from up to 40 million credit cards could have been stolen after being used on card-swipe machines at 1,797 Target stores. The breach started just before Black Friday and continued for about two and a half weeks.
Target CEO Gregg Steinhafel revealed in a CNBC interview yesterday that the cyber-thieves stole the credit card numbers, CVV numbers and encrypted PIN codes of 40 million customers by installing malware into the point-of-sale devices used in the Target stores. This same malware also allowed the thieves to take personally identifiable information, including postal addresses and phone numbers, on a total of 70 million shoppers.
At the time of the breach, Brian Krebs revealed that sources at credit card payment processing firms had told him about the data-stealing malware but this is the first time that the existence of the malware has been confirmed by Target itself.
“We don’t know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk.”
The security breach was discovered on December 15th, but Target didn’t go public until December 19th. As a result the company is coming under increasing pressure to justify the four day delay in notifying its customers. According to Steinhafel the sequence of events from the 15th were as follows:
- Day 1 – Breach discovered and malware removed from POS registers.
- Day 2 – Initiating the investigation work and the forensic work.
- Day 3 – Setting up the call center and preparing store employees for customer queries.
- Day 4 – Public disclosure.
Target was not the only US retailer to suffer a security breach in the run up to Christmas. Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be made publicly. According to people familiar with the situations these three retailers were attacked using similar techniques as the ones used on Target. There is speculation that the perpetrators of the Target attack may also be responsible for these other security breaches.