Could Target Data Breach Be Just the Tip of the Iceberg?

Information about the massive Target data breach gets uglier by the day.

The Wall Street Journal reported:

The holiday data breach at Target Corp. appeared to be part of a broad and highly sophisticated international hacking campaign against multiple retailers, according to a report prepared by federal and private investigators that was sent to financial-services companies and retailers.

The Journal also said:

ISight and DHS declined to name other companies that fell victim to the attack. But former U.S. officials and people close to the investigation said it isn’t limited to Target.

Now there’s a new report from Reuters:

A cybercrime firm says it has uncovered at least six ongoing attacks at U.S. merchants whose credit card processing systems are infected with the same type of malicious software used to steal data from Target Corp.

Just to refresh your memory: First, Target announced that the debit and credit card information of 40 million customers who shopped at Target stores between Nov. 27 and Dec. 15 was compromised. Then it said the personal information — like names, addresses, phone numbers and email addresses — of 70 million customers had also been taken.

Then Neiman Marcus said it too had a data breach, although it won’t reveal details. “The luxury retailer said there is no indication its security breach, which also involved malware, was related to Target’s,” the Journal says.

Both Target and Neiman Marcus are offering free credit monitoring to customers for a year. (A Forbes writer said she got an email from Target notifying her that her personal information may have been taken — even though she hasn’t shopped at Target in 10 years.)

The fallout continues.

• Citi says it’s replacing debit cards that were involved in the Target breach.
• JPMorgan Chase is replacing both credit and debit cards.
• Bank of America and Wells Fargo “told me that they’re relying on their standard practices to monitor customers’ accounts to detect fraud but have no plans to replace debit cards as Chase and Citi have done,” wrote Mark Calvey in San Francisco Business Times.

Meanwhile, more details have emerged about how Target could have been infiltrated. You can read the long version on the highly respected Krebs on Security blog. Paula Rosenblum blessedly simplified it in a Forbes post called “Target Data Breach Is Becoming a Nightmare”:

Long story short, the hackers convinced Target firewalls that they were “good guys.” And once they’d done that, they continued to roam freely around Target’s system. They’ve found data old and new and will use it the way they choose.

The malware apparently stole payment information at the point of sale before it could be encrypted.

In the absence of knowing how widespread the data breach really is, I’d suggest vigilance.

• Monitor your credit card and banks accounts. You won’t be liable for fraudulent purchases, but if your debit card has been compromised, a crook could have access to your bank account. That could make life very unpleasant until the bank restores your funds.
• Keep an eye on your credit reports for suspicious activity.
• If you think your payment information was stolen in the Target or Neiman Marcus attacks, tell your bank you want a new credit or debit card.
• Target customers should be on the lookout for phishing attempts.

Rosenblum said banks have been too slow to act, particularly once it was known that hackers had not only payment information from Target but personal information too.

It’s no longer adequate to just change the PIN numbers. Now, it’s a do-over. I think [issuing new cards] was a wise move. As I’ve mentioned before, I’m frankly pretty befuddled that the entire ecosystem did not move faster to replace cards, change PIN numbers … whatever it took to keep us all safe.