Cross posted from http://www.securit360.com/blog where I am a regular author.
Updated: Originally posted by the WSJ, and sourced here from Business Insider, Target had warning last spring about a new emerging threat against POS systems. Internal analysts requested additional scrutiny. Updated: According to an article posted on Krebsonsecurity “the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor.” The recent retail breaches show that compliance is not enough. Cyber security needs to be an organizational wide initiative:
Initial Target Data Breach
Breach: Target, sometime between Thanksgiving and December 15th, 2013. Estimated 40 million records. Discovered: Sometime around mid December 2013. Reported: Target confirms breach of 40 million records on December 19th, 2013. Notes: Wed, December 18th, data from the theft had already flooded underground markets.
Neiman Marcus Confirms Breach
Breach: Scope unknown UPDATED: included credit card and debit cards dated back to July 2013. UPDATED: approximately 1.1 million credit and debit cards affected Discovered: Sometime around mid December 2013. UPDATED: The breach was not confirmed until January 1st. Reported: Jan 10th 2013, Neiman Marcus reports breach.
Second Target Data Breach
Breach: On Jan 10th, 2013 Target confirms a second breach, which included names, emails, and phone numbers of up to 70 million additional records. This occurred sometime between Thanksgiving and December 15th, 2013. Estimated 70 million records for a total of 110 million records. Discovered: Two to five weeks after the initial breach. Reported: Over a month after the initial breach.
Jan 12th, 2013 Reuters reports more well-known retailers have been breached.
Source: http://www.reuters.com/article/2014/01/12/us-target-databreach-retailers-idUSBREA0B01720140112 UPDATE: The malware known as KAPTOXA has been reported to be involved in the Target breach and suspected to be involved in the Neiman breach. The article linked here is from firm, iSight Partners, a global cyber intelligence firm that works with the U.S. Secret Service and the Department of Homeland Security. They claim that the malware has probably infected a large number of POS terminals throughout the retail industry. We still don’t know who the other retail companies are that were breached around the same time as Target, but it is safe to consider that they were all linked somehow. Retailers are extremely vulnerable during during the holiday season simply due to the high amount of customer volume. They try to get as many customers in and out as possible during peak times, and they neither want, nor have the ability, to inconvenience their consumers with any increased scrutiny. In these recent attacks the attackers had access to customer data for several weeks, as the breaches weren’t even discovered until at least 3 weeks after they initially started, and they weren’t reported until about a month later. Additionally, even after the breaches were discovered, all of the information was not available, so the scope was incomplete. It took Target over a month to understand the full scope of their breach, which is currently the largest breach in history, surpassing the TJ Max breach by over 60 million records. This begs the question, is compliance enough? Retailers, such as Target, are required to be PCI-DSS compliant to handle credit cards, but does that mean the organization is secure? Security is a top down, cultural and organizational mind set. If security doesn’t start from the top, with financing and initiative, and bubble down to scrutiny and diligence, then security holes will exist and there will never be a completely secure organization. People make mistakes, systems will be compromised, and ultimately data will be breached. The question is, how quickly can an organization recognize and respond to the breach?