October 25, 2014

Target CEO resigns five months after data breach revelation

Target_logoAt the end of December last year, during one of the busiest shopping seasons, the US retailer Target revealed that payment details from up to 40 million credit cards had been stolen after being used on  card-swipe machines at 1,797 of its stores.  The attack started just before Black Friday and continued for about two and a half weeks.

Five months on from the announcement of the data breach, Target’s board of directors has decided to remove Gregg Steinhafel as chairman and chief executive, saying it wanted new leadership to help restore consumer confidence. The official text from the board of directors thanks Steinhafel for his “significant contributions and outstanding service throughout his notable 35-year career with the company” but blames the CEO directly for the data breach, “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable…” And now it looks like that accountability has lost him his job.

After the attack occurred details started to emerge that showed that Target could have prevented the attack. According to Bloomberg, Target had invested $1.6 million installing a malware detection tool from FireEye.

Target used a team of security specialists in Bangalore to monitor its network. On Saturday, Nov. 30, the hackers uploaded malware to Target’s network so that they could copy the stolen credit card details. FireEye spotted the malware along with some suspicious activity and the Bangalore team alerted their bosses in Minneapolis. But it appears that the security team in Minneapolis did nothing.

Since the breach, Target has faced at least 90 lawsuits and been forced to spend at least $61 million to settle them. According to Brian Krebs, Target does not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). Krebs also estimates that the cyber criminals probably made somewhere around $53 million from the sale of stolen credit card details.

It is thought that details of up to 3 million cards were successfully sold on the black market and used before the issuing banks managed to cancel the whole batch of 40 million cards.

Malware used on point-of-sale terminals to steal details of 40 million credit cards

Target_logoA few days before Christmas the US retail giant Target revealed that payment details from up to 40 million credit cards could have been stolen after being used on  card-swipe machines at 1,797 Target stores.  The breach started just before Black Friday and continued for about two and a half weeks.

Target CEO Gregg Steinhafel revealed in a CNBC interview yesterday that the cyber-thieves stole the credit card numbers, CVV numbers and encrypted PIN codes of 40 million customers by installing malware into the  point-of-sale devices used in the Target stores. This same malware also allowed the thieves to take personally identifiable information, including postal addresses and phone numbers, on a total of 70 million shoppers.

At the time of the breach, Brian Krebs revealed that sources at credit card payment processing firms had told him about the data-stealing malware but this is the first time that the existence of the malware has been confirmed by Target itself.

“We don’t know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk.”

The security breach was discovered on December 15th, but Target didn’t go public until December 19th. As a result the company is coming under increasing pressure to justify the four day delay in notifying its customers. According to Steinhafel  the sequence of events from the 15th were as follows:

  • Day 1 – Breach discovered and malware removed from POS registers.
  • Day 2 – Initiating the investigation work and the forensic work.
  • Day 3 – Setting up the call center and preparing store employees for customer queries.
  • Day 4 – Public disclosure.

Target was not the only US retailer to suffer a security breach in the run up to Christmas. Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be made publicly. According to people familiar with the situations these three retailers were attacked using similar techniques as the ones used on Target. There is speculation that the perpetrators of the Target attack may also be responsible for these other security breaches.