Target is still cleaning up after its disastrous data breach of December 2013, and recovery costs continue to climb for the US retail giant.
Target says it reached a $19 million settlement with MasterCard to cover some of the damages to financial institutions that issue MasterCard credit and debit cards.
Although there have been a lot of smaller data breaches since, at Neiman Marcus, Michael’s, P.F. Chang’s and others – the Target breach and the even bigger breach at Home Depot have put an intense focus on the problem of credit card data theft.
As we reported at the time, Target was breached by cybercriminals who planted malware on credit card terminals in its stores during the Christmas shopping season, stealing unprotected data as customers swiped their cards to pay.
The sophisticated cybercriminals behind the Target breach haven’t been identified, and they disappeared after selling the stolen account details to other crooks who used them to make fraudulent purchases.
It took a lot of skullduggery and even luck for the cybercrooks to pull off what they did – they managed to steal credentials to Target’s network from a plumbing company working for it, and used them to move freely about the network, steal the credit card data, and then exfiltrate it to a server in Russia.
Target might have prevented the data theft if it had listened to its own security team – a special security group noticed the malware and tried to warn Target, but the company didn’t act on the team’s warnings.
Home Depot was victimized by the same type of malware as Target, a malware called Backoff that stole credit card information from its point-of-sale terminals, affecting 56 million customers whose accounts were exposed in the breach.
Around the same time as Home Depot was hit, the FBI warned retailers about Backoff, which it estimated had breached over 1000 businesses.
Target said it has updated all of its terminals to accept modern credit cards with an embedded chip, which are more secure than magnetic stripe cards.
Home Depot said it too has updated its terminals – installing 85,000 new pin pads in 2200 stores in North America – but there are more retail merchants that haven’t spent the money to upgrade all their point-of-sale equipment.
How many millions of machines will need to be replaced in all the retail businesses in the US?
It’s a big job but one that needs to be done.