Retail giant Target announced Thursday that it had become the victim of a more than two-week-long attack that may have compromised approximately 40 million credit and debit cards and CVV codes, as well as customer names.
The retailer did not yet announce which of its nearly 1,800 U.S. stores were impacted in the attack, but officials did declare that the issue – which affected customers who made in-store card purchases between Nov. 27 and Dec. 15 – had been identified and resolved, according to a post on the Target website.
In response to learning of unauthorized access to card data, the retailer alerted authorities and financial institutions, as well as hired a forensics firm to investigate the matter and provide tips on how to best prevent similar issues in the future.
Officials with Target have yet to reveal details into exactly how attackers were able to obtain the card information, but security experts and researchers believe that point-of-sale (POS) devices were compromised by the hackers.
“It is speculation at this point, but it seems likely that either there was a compromise on the POS equipment itself – across many stores – that was delivered via the network, or that their network was hacked upstream and card information diverted to the bad actors,” Cameron Camp, security researcher with IT security company ESET, told SCMagazine.com on Thursday.
Some experts opined that malware was installed on the POS devices, but on her blog, Avivah Litan, vice president and distinguished analyst at research firm Gartner, suggested that a myriad of security controls and adherence to PCI makes that scenario unlikely. “My guess is that the data was stolen from Target's switching system for authorization and settlement,” she wrote.
Julian Waits, CEO at ThreatTrack, told SCMagazine.com on Thursday that Target did not seem to be careless and that this incident really underscores how vulnerable most retailers are to these kinds of coordinated data thefts.
“The hackers' working hypothesis is that if they can topple one retailer, they can tumble the others using the same penetration method,” Waits said. “The same holds true for POS systems. There is so much standardization in POS systems, credit card processing and security measures that hackers think once they successfully execute an attack on one major retailer, they can exploit all retailers using the same methods, such as a POS botnet attack.”
Conversely, Rajat Bhargava, CEO of cloud server management company JumpCloud, told SCMagazine.com on Thursday that he believes Target has not been transparent with impacted customers.
“Target has not been forthcoming as of yet and that is a problem for people trying to understand what they should do,” Bhargava said. “It appears that internally they are taking it seriously and assembling the right team with forensic experts, law enforcement, and other crisis experts.”
For now, security experts and officials with Target are encouraging customers to monitor their accounts closely for any fraudulent activity.