News outlets are reporting that US retailer Target has been hacked, allowing the credit card information for up to 40 million people to be stolen. If you have made any purchases at a Target store between Nov. 27 and Dec. 15, 2013, you should check your credit card statements carefully. At this point it is not clear if hackers had access to credit card data for Target.com purchases or for those made at Target stores in Canada (but you should check your credit card statements anyway).
According to Target:
We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).Krebs on security says major credit card issuers are confirming the breach, and defines the scope as:
nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.InformationWeek is also reporting on the story. According to their story:
The attack appears to have been timed to take advantage of the busiest shopping day of the year, Black Friday, which this year fell on November 29. But the heist was likely planned far in advance. "Due to the size and scale, this seems like it would have been a planned attack that began well before Black Friday," said Matt Standart, HBGary's threat intelligence director, via email. "To be successful, the adversary would have performed detailed reconnaissance and other activities in preparation for their primary mission objective. This would have required infrastructure compromise, entrenchment, command and control, and privileged access, all of which take time and effort."If you have shopped at Target recently - CHECK YOUR CREDIT CARD STATEMENT TODAY.
Targeting the holiday shopping period -- and especially Black Friday -- was an astute move on the part of attackers, he added. For starters, they could have amassed the maximum possible amount of card data before being detected. In addition, the volume of sales, and resulting load on Target's IT infrastructure, might have served as "a distraction to give more operational security to the adversary," Standart said.
Target will now face sharp questions about whether it was storing card data in encrypted format, and whether it had been certified as being compliant with the Payment Card Industry Data Security Standard (PCI-DSS). A Target spokesperson, emailed for comment on the above questions, didn't immediately respond.