The E-Mail came early this morning ("your CC information has been compromised, that number was deactivated, and new cards are on the way"). The E-Mail didn't mention Target by name, but...

Target seems pretty tight-lipped about exactly how this happened. They keep saying they're investigating. Probably pretty embarrassing because the bad guys were all the way up Target's keister. As they have adopted the typical drib/drab method of disclosure, I wouldn't be terribly surprised if more disclosure (like the criminals have the SSN's of all our employees) is on the way.

In a strange way, my hat is off to the guys that pulled this off.

Sorry to hear this Phil. A friend of mine that lives in Colorado told me his CC info had been compromised at Target. He did check his credit card and found a transaction that was not his. He did not say how large but it is still disconcerting that this happened. I am seriously thinking of stopping credit card use since I use it for convenience only but it makes on-line purchasing impossible.

Before Bank of America bought up MBNA my credit card had a feature that you could generate a one use credit card number for on-line purchasing. I do not know if BoA kept this feature but plan to check it out/

George

Looks like Target was hit by malware within the POS devices: http://www.securityweek.com/target-confirms-point-sale-malware-was-used-attack

My daughter landed at LAX only to discover that the car rental rejected her card because it was cancelled. She had shopped at Target during the danger period and someone had tried to charge $8000 on it!

I too have been wondering about Target's reluctance to discuss what happened. My suspicions are:

- This was an inside job by someone they trusted with far more access than they should have. Sort of like Edward Snowden. They are worried about being sued for negligence.
- The exploit exposed a massive hole in their security that they should have known enough to close. Again, they are worried about being sued for negligence.
- The exploit exposed a hole that is in common with the software used throughout the industry, and the others asked them to hush it up for fear they would all get hacked.

Looks like Target was hit by malware within the POS devices: http://www.securityweek.com/target-confirms-point-sale-malware-was-used-attack

Yep, that article just doesn't go into enough detail about the mechanism by which all the registers were infected. I realize they are certainly centrally maintained when it comes to updates, etc. But for someone to write code that would get ONTO the management servers and then download to the registers is really quite an accomplishment.

My daughter landed at LAX only to discover that the car rental rejected her card because it was cancelled. She had shopped at Target during the danger period and someone had tried to charge $8000 on it!

I too have been wondering about Target's reluctance to discuss what happened. My suspicions are:

- This was an inside job by someone they trusted with far more access than they should have. Sort of like Edward Snowden. They are worried about being sued for negligence.
- The exploit exposed a massive hole in their security that they should have known enough to close. Again, they are worried about being sued for negligence.
- The exploit exposed a hole that is in common with the software used throughout the industry, and the others asked them to hush it up for fear they would all get hacked.

- Agreed.
- Agreed.
- Agreed.

Sorry for your daughter. At least I'm not travelling or anything.

Like a lot of other folks here are probably getting, I just got an email from target informing me (as a shopper, but not one with a target card) that my email address, regular address and name may have (likely?) been taken, and offering credit monitoring.

Over Christmas, the card that I have used at target got lost unintentionally, and I still don't know where it is - obviously I canceled it already. That sort of solves any issue with that. But I'm not especially pleased that they allowed address, name, email address etc. to be harvested. Now I'd assume that I have to monitor my credit reports to make sure nobody tries to use any personal information they harvested from target to try to set something up.

I wonder how many more "updates" are going to be coming out, detailing more information that was taken that they "just noticed".

just makes ya wonder how big the hit would be if happened at Wal Mart or a online giant like Amazon...

I hosted an online forum for wood surfboard builders. The forum used the same platform this forum uses. I had to delete 15 or more user requests DAILY that were spammers. This was my daily routine. Then one day I logged in, and the site said "Hacked by Chan." My entire site was disabled.

I called the the IP provider and they deleted malware and got the site up and running, but it still had issues. The forum did not work. Long story short, the IP provider lectured me on keeping my password safe. Let me tell you- my password is made from random numbers and letters. It means nothing, i.e. It is not a word, a name, a date, etc. It is just a random bunch of numbers and letters. ONLY I knew the password. Not even my wife knew it.

So how did they get in? The PHPBB bulletin board software itself had a "back door" that allowed a hacker to get into the site. This is a software used by thousands of bulletin boards. This bulletin board, in fact, appears to be based on the PHPBB platform. So my point is- it doesn't have to be an employee that they trusted with more than they should have. It could be malware on a third-party system.

Ultimately my my bb was shut down because in trying to remove the malware I screwed up the login file. My business website and email became unusable, costing me $$$$$$$.

Where did the hack come from? CHINA! Also of all the spam attempts I had, half were from China, and the other half from Russia, Ukraine, Romania, Poland, and Latvia.

Target was victimized by this. So in turn were its customers. I feel it irresponsible to be blaming Target for this. It could have been anyone.

By the way, our credit card company (not Target) notified us of this issue directly the day before the news broke. By the time it was on CNN we had already been informed a new card was in the mail.

Apparently the card readers at Target are running some version of Windows embedded. Nobody has said how the malware got installed.

I had a credit card hack a few months ago. It started with an $85 perfume purchase sent to a different address. About a month later, they attempted to charge several thousand dollars on the card. It included lots of electronics plus $1000 purchased on ITunes. I got a call from the credit card company since they suspected fraud. They read through the list asking me which purchases were mine. In the end, all charges were cleared up. I don't know who eats the loss.

Steve

Target was victimized by this. So in turn were its customers. I feel it irresponsible to be blaming Target for this. It could have been anyone.

By the way, our credit card company (not Target) notified us of this issue directly the day before the news broke. By the time it was on CNN we had already been informed a new card was in the mail.

It is not, however, unreasonable to expect that Target may not have been as expedient and complete as they should have been communicating it. We'll never know if they dragged their feet disclosing certain things, or if they've disclosed everything that was taken.

Apparently the card readers at Target are running some version of Windows embedded. Nobody has said how the malware got installed.

The POS systems are definitely Windows. I was checking out once when someone took over by remote control and rebooted one, after I'd swiped my card. I had to wait around 20 minutes for them to figure out if I'd actually been charged. Saw the Windows splash screen as it rebooted. We had the same thing happen at a BofA ATM only they did it after it accepted our deposit, but before processing. That was Windows too.

Target was victimized by this. So in turn were its customers. I feel it irresponsible to be blaming Target for this. It could have been anyone.

Target is absolutely responsible for the security of their systems. If retailers aren't held accountable, they'll continue to be lax. How many stories like this do we need to hear before they start to take it seriously? Why should the card companies, banks, and consumers have to pay the tangible and intangible costs of Target's failure?

Target was victimized by this. So in turn were its customers. I feel it irresponsible to be blaming Target for this. It could have been anyone.

By the way, our credit card company (not Target) notified us of this issue directly the day before the news broke. By the time it was on CNN we had already been informed a new card was in the mail.

Reminds me of a neighbor telling me how her car was stolen from her driveway.

Only later did my wife tell me she heard the car was running, and unattended. Car was left running, unlocked, neighbor was inside waiting for the car to warm up when the car was taken.

Somehow I didn't feel quite as bad for the neighbor.

Point being, we all have to take precautions to protect ourselves. Apparently, Target's measures were insufficient.

As an aside, if your credit card is compromised and you don't get a notification in real time, maybe you should be carrying a card from a different bank. All of the top cards processors very sophisticated software to detect a possible fraudulent charge on your card. I have my account set up to notify me by text when they question a charge. They have denied the charge before it was made, cancelled that card and sent me a new one all within minutes of the misuse. This wouldn't help you know that Target has given your card away before it is used, but their shouldn't be surprises at the airport that your card is cancelled either.

After being responsible for security for a large online financial firm for 5 years, I would disagree with Pat Barry. Target should take the blame, very large compromises like this should never involve a single point of failure clearly they didn't anticipate the risks properly, didn't monitor the transfers of data properly and their security suffered accordingly. Security costs money, it would be interesting to know if budget limitations helped create this breach or if more fundamental principles were violated in designing their systems.

Credit card issuers and merchants don't want to switch to chip technology because of the cost involved, but it would greatly increase security. The chip generates a one-time use number to use instead of the actual card number. I think Target wishes they had chip technology now as new card readers would cost less than this incident will cost them.

Ironically, Target was one of the first in the USA to have cards with chip technology. They abandoned the cards with chip technology as other card issuers were not making them and each transaction took longer because the card readers were slower.

Target is absolutely responsible for the security of their systems. If retailers aren't held accountable, they'll continue to be lax. How many stories like this do we need to hear before they start to take it seriously? Why should the card companies, banks, and consumers have to pay the tangible and intangible costs of Target's failure?
Sure Matt, but the point is, this could have happened anywhere, its just Target was targetted by the hackers / crooks / whatever. The point is, if we blame Target then we have our heads in the sand and are thinking about this too simplistically. I do agree with the expediency, however, we don't know that they were dragging their feet, do we? I suppose there will be a congressional investigation (oh boy!)

Except Target essentially left the doors unlocked and the keys in the ignition. Or maybe they had the hidden key under the bumper someone found. Or gave the key to the shady looking valet. Or whatever. In the end they pay a price, but the banks and consumers pay a lot higher price.

To say Target is tight lipped or reluctant to speak about this problem is simply not true. They are all over the news and the CEO was on CNBC addressing the public about the issue. They also issued a press release and if they have a customers email are contacting those by that means. Just because one did not read the news or hear the news does not negate it.

Hats off to whoever pulled this off? Wow. I don't understand that at all. It is a very serious matter, is being investigated by the Department of Justice, did a lot of damage, perhaps cost Target business and customers, and who knows what the cost in labor and overhead in taking defensive and corrective measures. Then there is the customer, card holder side of things, their concerns, time, and personal security. The hacker or hackers are not heroes by any strange stretch.

My card was compromised by another company's breach. I don't get why there is so much data available to the hackers. It's not supposed to be kept, at least that's what the card companies tell the merchants, so why is so much data available? Are they just that slow to catch it?

I would not say they are to blame, but they certainly did a piss poor job with communication and lying about how bad the threat was.


Target was victimized by this. So in turn were its customers. I feel it irresponsible to be blaming Target for this. It could have been anyone.

By the way, our credit card company (not Target) notified us of this issue directly the day before the news broke. By the time it was on CNN we had already been informed a new card was in the mail.

My card was compromised by another company's breach. I don't get why there is so much data available to the hackers. It's not supposed to be kept, at least that's what the card companies tell the merchants, so why is so much data available? Are they just that slow to catch it?

I kind of wonder if the records are kept due to return policies. Otherwise, you'd think they'd not need to keep any record after they cleared.

Obviously they are keeping them since most places don't need the card to process a return. Menards can even reprint any receipt for your card for some period of time.

To say Target is tight lipped or reluctant to speak about this problem is simply not true. They are all over the news and the CEO was on CNBC addressing the public about the issue. They also issued a press release and if they have a customers email are contacting those by that means. Just because one did not read the news or hear the news does not negate it.

What I've read and witnessed is a well-orchestrated damage-control campaign.


Hats off to whoever pulled this off? Wow. I don't understand that at all. It is a very serious matter, is being investigated by the Department of Justice, did a lot of damage, perhaps cost Target business and customers, and who knows what the cost in labor and overhead in taking defensive and corrective measures. Then there is the customer, card holder side of things, their concerns, time, and personal security. The hacker or hackers are not heroes by any strange stretch.

Jeff, I didn't say they were heroes. You are implying I said they were heroes, and then disagreeing. That is a pretty sophomoric attempt at a straw-man, please don't straw-man me.

What I said was, "in a strange way, my hat is off to them." Meaning, I think we have to respect the skill and dedication (if not professionalism) of these hackers. I stand by what I said 110%.

Only after we respect what they can seemingly accomplish do we stand a chance of defeating them.

At least the guys who hacked Nieman-Marcus had more expensive tastes :p. I'd read that some invitation-only Amex cards 'acquired' there had $7500 application fees and $2500 annual fees. I'd like to know the limit and perks on those puppies.

just makes ya wonder how big the hit would be if happened at Wal Mart or a online giant like Amazon...

I seem to recall yesterday's news claiming that the Target breach was not the only one over the holiday period--that there were several other major retailers hit in the same way, and the belief is that it was the same group of hackers who perpetrated all the breaches.

I kind of wonder if the records are kept due to return policies. Otherwise, you'd think they'd not need to keep any record after they cleared.

All that is needed to process a return is the bank identification #, account #, and check digit. Basically the CC number. You don't need anything beyond that.

Problem is, many merchants (thinking their security is impenetrable) do store everything.

Other problem is, if malware gets on the register itself, it has access to everything whether it is stored, or not.

My card was compromised by another company's breach. I don't get why there is so much data available to the hackers. It's not supposed to be kept, at least that's what the card companies tell the merchants, so why is so much data available? Are they just that slow to catch it?

Malware was supposedly installed on the card readers directly. The card reader certainly has to have the number even if the number is never actually stored. Plenty of merchants do recurring credit card charges so they need to keep the number, but I believe there are ways of tokenizing the card numbers now so the actual number is not stored.

In today's litigious society, if I were Target, I wouldn't say anything that wasn't needed.

If you were paying attention, the number kept growing. A lot of people think that's suspicious, I don't. I think that's pretty normal when you're trying to find out the depth of something that was done surreptitiously. It's not like the hackers left behind an activity log to help Target out. :rolleyes:

My wife shopped there on black Friday. The day I heard the announcement, we received a note from our bank, saying they'd cancelled her card and were issuing a new one. I was impressed. Sure it was a pain, but less of a pain then chasing bogus charges and such.

Somehow I didn't feel quite as bad for the neighbor.

Really? Your neighbors car was stolen from her driveway and you are now blaming her? un-be-leive-a-bull. Glad I'm not your neighbor.

After being responsible for security for a large online financial firm for 5 years, I would disagree with Pat Barry. Target should take the blame, very large compromises like this should never involve a single point of failure clearly they didn't anticipate the risks properly, didn't monitor the transfers of data properly and their security suffered accordingly. Security costs money, it would be interesting to know if budget limitations helped create this breach or if more fundamental principles were violated in designing their systems.
Lets jump to conclusions. Its an easy way to duck our heads in the sand. A lot easier and more appealing than having actual facts. Now, I'll wait and see what the actual facts are before I condemn Target. In the meantime, lets just realize, the crooks are only a very short step behind whatever security measures are put in place and (I bet) if they had decided to go after WalMart or Amazon, or anyone else for that matter including our very own NSA, they would have gotten in.

By the way, to your first point, I was notified by my VISA card provider before the news hit the air as I stated previously.

Really? Your neighbors car was stolen from her driveway and you are now blaming her? un-be-leive-a-bull. Glad I'm not your neighbor.

Yep, everyone should know not to leave their car unattended, unlocked, and running.

I'd also blame my kid if their bike was scotched because they left it unlocked at the mall.

And I'd be critical of my wife if our house was burglarized because she left it wide open and then went to the movies.

And I'd expect anyone I know to give me a dope-slap if I pulled any of those stunts.

Because I'm living in the present (2014), so I don't act like it is 1914.

Really? Your neighbors car was stolen from her driveway and you are now blaming her? un-be-leive-a-bull. Glad I'm not your neighbor.

Yes, it is partly her fault. Would a thief have taken her car if the keys were not in it and running? It is still mostly the thief's fault, but she has to take part of the blame. There are many cities where it is against the law to idle a vehicle like that unless you have a system that disables the car while it is idling.

My card was compromised by another company's breach. I don't get why there is so much data available to the hackers. It's not supposed to be kept, at least that's what the card companies tell the merchants, so why is so much data available? Are they just that slow to catch it?

From here:

http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/

It sounds like the mechanism the hackers used basically was pulling a lot this info, some of which hopefully was not saved, out of the computers memory before it was encrypted or sent to the CC processing companies. So they probably got a lot of info that wouldn't be saved, and managed to get a hold of anything a card reader could see at the initial swipe. Sounds like the origin of the hack was not physical access to individual POS terminals, but via a hack of a company server, which is unsettling to say the least.

Harbor Freight had problems and don't recall seeing anything about it on the news.
http://www.bankinfosecurity.com/impact-harbor-freight-attack-grows-a-5970/op-1

[QUOTE=Brian Elfert;2210495 There are many cities where it is against the law to idle a vehicle like that unless you have a system that disables the car while it is idling.[/QUOTE]

And what do they do give you a ticket / fine if your car is stolen because it was left idling in the driveway? Fine howdy do, they take the theft report and say oh by the way here is a ticket because you violated our city ordinance for leaving your car running in the driveway, that is adding insult to injury. Glad I don't live in that city.

George

Yep, everyone should know not to leave their car unattended, unlocked, and running.

I'd also blame my kid if their bike was scotched because they left it unlocked at the mall.

And I'd be critical of my wife if our house was burglarized because she left it wide open and then went to the movies.

And I'd expect anyone I know to give me a dope-slap if I pulled any of those stunts.

Because I'm living in the present (2014), so I don't act like it is 1914.
But... its your neighborhood, your neighbor. Its not a stunt, man. Get with the program. Quit blaming the victim

And what do they do give you a ticket / fine if your car is stolen because it was left idling in the driveway? Fine howdy do, they take the theft report and say oh by the way here is a ticket because you violated our city ordinance for leaving your car running in the driveway, that is adding insult to injury. Glad I don't live in that city.


I believe the ordinance only applies if you park on the street. One city I know that has the ordinance has lots of on-street parking. I doubt they would ticket someone whose car was stolen because the police would usually have to witness the car left idling with the key in it. The ordinance is more about cutting down auto theft than it is about revenue.

In response to some of the questions here...

CC #s are hashed if they are to be stored. If anyone is caught using non-hashed #s, the CC company can levy huge fines and/or yank the account. Can anyone guess what happened at TJX (Owners of TJ Maxx, et. al.)? Anyone? Beuller? Beuller?

Windows is one of the most easily hacked OSes. Not the root cause here, but 'nuff said...

But... its your neighborhood, your neighbor. Its not a stunt, man. Get with the program. Quit blaming the victim

We're going to have to agree to disagree on this one, Pat.

In response to some of the questions here...

CC #s are hashed if they are to be stored. If anyone is caught using non-hashed #s, the CC company can levy huge fines and/or yank the account. Can anyone guess what happened at TJX (Owners of TJ Maxx, et. al.)? Anyone? Beuller? Beuller?

Windows is one of the most easily hacked OSes. Not the root cause here, but 'nuff said...

The way this typically works for small businesses is that, a merchant is responsible for all costs related to CC fraud resulting from a breach in their security. The prospect of those costs is so daunting that a small business won't typically keep card #'s. If they DO keep card #'s, they will typically buy insurance which, to a degree, indemnifies them in the event of a breach. The outfits that offer insurance typically want to perform security audits to verify security is sufficient.

But I have no idea how it works once a merchant is the size of TJX or Target. I imagine each deal is individually negotiated.

I did some googling, did TJX actually have to pay something out?

BTW, the hacker involved was this guy:

http://en.wikipedia.org/wiki/Albert_Gonzalez#TJX_Companies

He is serving a 20-year sentence. But a new wrinkle: He wants to withdraw his guilty plea. He says he was working in some capacity with the Secret Service. And the Secret Service has no comment. So Whitey Bulger all over again?

My wife not only used her Target Red Card during the time period, but on the Monday before Christmas, we had a nurse come out to the house to give her a mini physical for long term disability insurance. She took all of my wife's info (name, address, SSN, etc.) along with 3 vials of blood and a urine sample. Yesterday we got a letter from the company that handles the physicals that the package never reached the insurance company. My wife's HR department contacted them and was told that the nurse put the package on her front porch for pickup and it was stolen before it was ever picked up.

They generously gave us a year of credit watch with Trans-Union and that was it.

The way this typically works for small businesses is that, a merchant is responsible for all costs related to CC fraud resulting from a breach in their security. The prospect of those costs is so daunting that a small business won't typically keep card #'s. If they DO keep card #'s, they will typically buy insurance which, to a degree, indemnifies them in the event of a breach. The outfits that offer insurance typically want to perform security audits to verify security is sufficient. But I have no idea how it works once a merchant is the size of TJX or Target. I imagine each deal is individually negotiated. I did some googling, did TJX actually have to pay something out? BTW, the hacker involved was this guy: http://en.wikipedia.org/wiki/Albert_Gonzalez#TJX_Companies He is serving a 20-year sentence. But a new wrinkle: He wants to withdraw his guilty plea. He says he was working in some capacity with the Secret Service. And the Secret Service has no comment. So Whitey Bulger all over again?

I work in a small local business now. Our credit card processors can charge up to $80000 to investigate a credit card security problem, so we opted to store NO credit cards, 80000 might not be much to a business the size of target, but for most small businesses it would be fatal. If any mom and pop stores are keeping credit card numbers for any reason, they have a time bomb ticking! We do have to fill out yearly reports for our processors on how we handle credit cards. Our staff goes through yearly training on how to handle credit cards and credit card numbers.

Companies handling credit cards generally have to deal with PCI compliance. PCI compliance is not an easy thing to deal with. They are very strict on how credit card numbers are handled and it can take a lot of time for even a smaller company to do a PCI audit. In some cases it is easier to have Paypal or another processor take care of credit cards so Paypal handles the PCI compliance.

Companies handling credit cards generally have to deal with PCI compliance. PCI compliance is not an easy thing to deal with. They are very strict on how credit card numbers are handled and it can take a lot of time for even a smaller company to do a PCI audit. In some cases it is easier to have Paypal or another processor take care of credit cards so Paypal handles the PCI compliance.

On that note...

When I had my e-cart up and running, I did not keep credit card numbers on hand. I had no reason to, nor did I want the responsibility. I paid around $150/yr for PCI compliance checks on my system, despite the fact that my processor handled the actual transaction. The # came through my system, so it had to be audited yearly.

Target Breach Appears to Be Part of Broader Scamhttp://abcnews.go.com/Business/wireStory/target-breach-appears-part-broader-scam-21564537

We might need to start blaming someone other than Target

But for someone to write code that would get ONTO the management servers and then download to the registers is really quite an accomplishment.
Oh yeah, it's possible to patch software WHILE the system is running. I knew a gal that was hired specifically because of her ability to do that.

Oh yeah, it's possible to patch software WHILE the system is running. I knew a gal that was hired specifically because of her ability to do that.

DLL hooking is the mainstay of virus writers... there's zero issue with making mods while a system is running.

Target Breach Appears to Be Part of Broader Scam

http://abcnews.go.com/Business/wireStory/target-breach-appears-part-broader-scam-21564537

We might need to start blaming someone other than Target

Instead I'd say we might need to start blaming others IN ADDITION to Target.

That story only mentioned Target and Neiman Marcus, though. Nothing really new there.

Instead I'd say we might need to start blaming others IN ADDITION to Target.

That story only mentioned Target and Neiman Marcus, though. Nothing really new there.

Maybe so "The bulletin tells merchants how they can identify the methods and malicious software used in the attack, Reuters says (http://www.reuters.com/article/2014/01/16/us-target-databreach-warning-idUSBREA0F1N920140116), which Target's anti-virus tools ultimately failed to pick up on."

We can blame whoever created the anti-virus tools that failed; who was that anyway? I bet it wasn't developed in-house by Target. Aren't there big software companies that do that sort of thing. I can't think of any names though but lets include them for sure.

Maybe so "The bulletin tells merchants how they can identify the methods and malicious software used in the attack, Reuters says (http://www.reuters.com/article/2014/01/16/us-target-databreach-warning-idUSBREA0F1N920140116), which Target's anti-virus tools ultimately failed to pick up on."

We can blame whoever created the anti-virus tools that failed; who was that anyway? I bet it wasn't developed in-house by Target. Aren't there big software companies that do that sort of thing. I can't think of any names though but lets include them for sure.

We can agree on that 110%.

What I've read and witnessed is a well-orchestrated damage-control campaign.


Jeff, I didn't say they were heroes. You are implying I said they were heroes, and then disagreeing. That is a pretty sophomoric attempt at a straw-man, please don't straw-man me.

What I said was, "in a strange way, my hat is off to them." Meaning, I think we have to respect the skill and dedication (if not professionalism) of these hackers. I stand by what I said 110%.

Only after we respect what they can seemingly accomplish do we stand a chance of defeating them.

Phil, Your clarification makes sense and is appreciated. The demeaning insult is not. I never thought of, much less had any intent of committing any straw man fallacy. We don't congratulate terrorists no matter how sophisticated and that is how I read and pondered it before posting.

Target was one of at least six retailers effected. Damage control is a given. With partial awareness, why paint that as a bad thing when they were the intermediary victim of the true bad guys, the hackers, the criminals they are.

The headline news is extensive and ongoing as the investigation continues by Target and retailers, major banks, credit card companies, cyber security experts, companies and consultants, forensic investigators, Nieman Marcus, JPMorgan Chase, American Express, Citi, Verizon, Javelin Strategy & Research, Seculert, a security company headquartered in Israel, Mandiant, a computer security firm that responds to breaches, extortion attacks and economic espionage campaigns (Mandiant being purchased by Fire Eye), cyber security firm iSight Partners, the Dept of Justice, the Secret Service, the FBI, the Dept of Homeland Security and perhaps more; all documented in the media.

One estimate is the hack will cost $18 billion and another $4 billion in losses to consumers.

How they did it. (http://recode.net/2014/01/17/how-the-target-hackers-did-it/)

Target was one of at least six retailers effected. Damage control is a given. With partial awareness, why paint that as a bad thing when they were the intermediary victim of the true bad guys, the hackers, the criminals they are.



I would just like them to be more forthcoming, too. The reality is, the facts will be uncovered, people will respect Target MORE for getting the facts out first.


More and more press on this (but not from Target):

"Security firm IntelCrawler says it has identified Target malware author"

http://www.washingtonpost.com/business/technology/security-firm-intelcrawler-says-it-has-identified-target-malware-author/2014/01/17/258efa48-7fa4-11e3-9556-4a4bf7bcbd84_story.html
(http://www.washingtonpost.com/business/technology/security-firm-intelcrawler-says-it-has-identified-target-malware-author/2014/01/17/258efa48-7fa4-11e3-9556-4a4bf7bcbd84_story.html)
"The company said the teenager did not perpetrate the attacks, but that he wrote the malicious programs — software known as BlackPOS — used to infect the sales systems at Target and Neiman Marcus. Andrew Komarov, the chief executive of IntelCrawler, said the attackers who bought the software entered retailers’ systems by trying several easy passwords to access the registers remotely.

“It seems that retailers still use quite easy passwords on most remote-access” servers, Komarov said. He added that there do not appear to be many restrictions on who has access to the remote point-of-sale servers in numerous companies. This, he said, could enable hackers to gain access to a prime target: back-office servers where criminals can pick up pools of data from multiple stores.

Instead I'd say we might need to start blaming others IN ADDITION to Target.

That story only mentioned Target and Neiman Marcus, though. Nothing really new there.

Why blame the intermediary victims instead of the perpetrators.

Why blame the intermediary victims instead of the perpetrators.

We've been over this a few times, but in a nutshell I'm blaming them because they failed to take proper precautions to protect sensitive data.

Damage control is a given.

When you're making announcements in a space of time where people are still being affected by the fact that their information is and was exposed, damage control, or more appropriately, controlled information release in your favor - isn't acceptable at all.

At Thanksgiving, people like me who don't have a target card were led to believe we weren't part of the information leak, and told to come shop for another 10% off. In my opinion (and we'll never know without an unbiased audit that digs up all communications about it) whether or not they were trying to save their retail season instead of inform everyone appropriately. I believe that's the case. I wasn't notified of my breached information until a couple of weeks ago, and it was by my credit card company first and not target. Target notified me that the allowed my information to be hacked just this past week.

As far as the "true bad guys", if I loan you tools and you leave them out in your yard while you lock yours away, and mine get stolen, I'm not really going to be interested in hearing about how it's not your fault that someone stole them.

What I've read and witnessed is a well-orchestrated damage-control campaign.



Jeff, I didn't say they were heroes. You are implying I said they were heroes, and then disagreeing. That is a pretty sophomoric attempt at a straw-man, please don't straw-man me.

What I said was, "in a strange way, my hat is off to them." Meaning, I think we have to respect the skill and dedication (if not professionalism) of these hackers. I stand by what I said 110%.

Only after we respect what they can seemingly accomplish do we stand a chance of defeating them.

I don't know, I had the same reaction as Jeff: You admit to a certain admiration (110%, no less) for the thieves and sociopaths who pull off these kinds of things, but for the poor lady, your neighbor whose car was stolen, well, she's pretty much a dope who got what she deserved due to her own carelessness. Phil, no one deserves to be the victim of a crime. And criminals are criminals; clever criminals are still criminals.

And does anyone here think that there can be 100% security against cybercrime? Can anyone name, with certainty, a large corporation, organization or government agency that has not been hacked or otherwise compromised at one time or another?

I don't know, I had the same reaction as Jeff: You admit to a certain admiration (110%, no less) for the thieves and sociopaths who pull off these kinds of things, but for the poor lady, your neighbor whose car was stolen, well, she's pretty much a dope who got what she deserved due to her own carelessness. Phil, no one deserves to be the victim of a crime. And criminals are criminals; clever criminals are still criminals.

And does anyone here think that there can be 100% security against cybercrime? Can anyone name, with certainty, a large corporation, organization or government agency that has not been hacked or otherwise compromised at one time or another?

I think I've addressed that but I will confirm I do think people that invite crime should not act too surprised when it visits.

In terms of your second point, I'm not insisting anyone guarantee 100% security, just follow best practices.

I think I've been hacked maybe 4 times total. It seems like a lot to me but I'm told that it's fairly normal.

Something I don't understand about the credit card hacking is that I don't hear much about prosecutions. My card was used to buy a plane ticket from Tokyo to Okinawa. The CC company told me that the ticket had not yet been used. So why wasn't someone at the gate with handcuffs?

My bank does a terrific job of monitoring my account for suspicious activity. I watch my accounts pretty carefully but they always call me before I see a bad transaction.