Target's data breach MUCH bigger than first thought - now more than 100,000,000 records

Filed Under: Data loss, Featured, Privacy

US megaretailer Target is having a tough time of it.

Having said that, so are its customers - and even, as it now turns out, many of its non-customers, too.

Late in 2013, pretty much half way between Black Friday and Christmas, Target realised it has been, well, the target of an enormous data theft.

As far as Target could tell, its breach wasn't quite in the very top league, such as those of Adobe and Sony, both of whom had been plundered in the past to the tune of more than 100,000,000 records.

But the breach at Target was epic by any standards, with 40,000,000 payment card records sucked up by cybercriminals.

→ Early reports suggested that printed CVVs (the three digit codes that only ever appear in printed form on the back of your card) had been stolen along with card numbers, expiry dates and so forth. We were sceptical, as we explained in Episode 127 of the Chet Chat podcast, because the stolen records appeared to relate to in-store purchases, also known as card present transactions, where the CVV is not used. Target subsequently confirmed that these printed security codes were not stolen. That reduces the risk of fraudulent on-line purchases, because card not present transactions usually require the CVV.

Sadly, Target just got promoted to the top league.

The company has now joined the "hundred million plus" data breach club, following its discovery that a further 70,000,000 records were plundered in the raid:

As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

From this, it seems reasonable to infer that the crooks who got into Target's network enjoyed much wider rein than was obvious at first, penetrating more than one business system.

Presumably, from Target's use of the words "guest information," this additional data wasn't related only to customers who actually purchased something from one of the company's stores during the November-December 2013 timeframe, but also potentially to anyone who has ever interacted with Target in any way.

In other words, you may be at risk from this exposure even if you've never bought anything from Target.

In some ways, this second part of the breach is worse than the first, because it involves truly personal PII (personally identifiable information).

That's because, for most people, getting a new credit card is actually much less disruptive, and considerably easier, than getting a new phone number or a new address.

And in case anyone was in any doubt whether a breach is bad for the company that gets breached, Target has the answer.

As well as presenting bad news to its customers and so-called "guests," the company has had to publish an update to its fourth-quarter financial predictions.

Target is warning shareholders that EPS (earnings per share) will most likely end up at $1.20-$1.30, down from earlier predictions of $1.50-$1.60.

It is also warning of poorer-than-expected sales, despite upbeat performance until the original breach announcment:

This outlook anticipates a fourth quarter 2013 comparable sales decline of approximately (2.5)%, compared with prior guidance of approximately flat comparable sales. The updated sales expectation reflects:

* Stronger-than-expected fourth quarter sales prior to the Company’s December 19, 2013, announcement of a payment card data breach;

* Meaningfully weaker-than-expected sales since the announcement, which have shown improvement in the last several days, and;

* A comparable sales decline of (2)% to (6)% for the remainder of the quarter.

Target isn't mincing its words: the breach has hit the company where it hurts.

Let's hope that there aren't any more databases that the crooks got into while they were targeting Target.

Imagery of bullet hole courtesy of Shutterstock.

, , , , , ,

You might like

5 Responses to Target's data breach MUCH bigger than first thought - now more than 100,000,000 records

  1. Robert Scroggins · 634 days ago

    I don't understand how the breach could endanger anyone who has ever interacted with Target in any way. If this is true, then Target must have other information in the stolen information/database other than credit card information/Name/Address. That sounds like they had credit bureau type info.


    • Paul Ducklin · 634 days ago

      I'm assuming what they mean by "guests" are people who have done things such as filling in surveys, requesting catalogues, entering competitions, and the like, whether they later went on to become customers or not.

      The whole problem seems to be that this isn't additional information that happened to be in with the credit card data - it's data taken from a completely different system, perhaps even one from a completely different business division (e.g. from marketing, not from sales).

      That's why I described the breach as 40,000,000 records, plus "a further 70,000,000 records," and why I ended with, "Let's hope that there aren't any more databases that the crooks got into while they were targeting Target."

      In other words, it seems that what we have is a giant breach consisting, so far, of two big sub-breaches...

      • Lee · 633 days ago

        Any speculation why Target's internal security tools failed to stop these breaches? And secondly, considering that Target is a huge corporation with presumably top-notch security people and big security budgets, does this mean smaller retailers and online merchants with much smaller budgets for security are more at risk for this kind of breach? What should every merchant now do in light of these revelations?

        • Deramin · 633 days ago

          The problem with security tools (in general) is that they're really good at detecting things they've been told exist, and usually pretty bad (though getting better) at detecting things that have never been seen before. That's why targeted attacks are so effective.

          Just because a company is big and has the resources to have top-notch security people, doesn't mean they do. Shareholders don't like companies spending a penny they don't have to, and, sadly, good security practices are often seen as paranoid, unneeded spending. You're actually much safer shopping with retailers hit with huge data breaches a few years prior, because there's just about the only businesses with the proper amount of fear and good judgement put into them.

          Every merchant should do now what every merchant should do always. Assume you're going to get hit, secure your data accordingly, and don't keep data you don't need! Do you settle for "This is probably good enough." It probably isn't. Don't do your own card processing if you can avoid it; do your research on the security of available card processors and trust them to be more competent (because it's their business, not yours).

          • Carol Scott · 624 days ago

            Excellent information and advice. We just hope it is well-taken by companies big and small and that it is a wake-up call to all consumers to have ID Theft protection in place before it is needed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog