Target says 110 million accounts accessed, not just 40 million.

[jimmy olsen]

If you ever bought anything from Target with a credit card it's time to panic!

http://www.nbcnews.com/business/40-million-credit-debit-card-accounts-may-be-hit-data-2D11775203

40 million credit, debit card accounts may be hit by data breach, Target says
Alastair Jamieson NBC News

26 minutes ago

Approximately 40 million credit and debit card accounts may be at risk from a major data breach affecting customers at Target stores across the U.S., the retailer said Thursday.

Customer names, credit or debit card numbers are involved in the breach - along with the expiration date and three-digit CVV security code of each card, the store said.

The company said in a statement that it was "aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases" between Nov. 27 and Dec. 15 - the height of the Thanksgiving and Christmas holiday shopping period.

It is one of the largest ever breaches of consumer information, echoing the 2007 theft of data from at least 45.7 million credit and debit cards of shoppers at retailers including T.J. Maxx and Marshalls.

"Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources

[Neil]

I wonder why they retain that data anyways?

[KRonn]

NSA strikes again. They need credit card records of all those people in case of a future investigation.   

[Admiral Yi]

I wonder why they retain that data anyways?

I imagine they have to keep records of transactions for a certain amount of time in case fraud allegations.

[derspiess]

Work is going to be fun today. 

[Eddie Teach]

If you ever bought anything from Target with a credit card it's time to panic!

The company said in a statement that it was "aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases" between Nov. 27 and Dec. 15 - the height of the Thanksgiving and Christmas holiday shopping period.

Phew.

[Ed Anger]

Panic? Really Timmay?

[jimmy olsen]

No, not really. Guess I should have added a smile at the end of that.

[Eddie Teach]

I added one for you. 

[jimmy olsen]

Damn, that's an insanely high number!
http://www.nbcnews.com/technology/worst-breach-history-puts-data-security-pressure-retail-industry-2D11898690

The Target security breach that may have affected as many as 110 million customers — with their names, mailing addresses, phone numbers and credit card information possibly swiped — ranks as the most extensive corporate data hack ever, experts said on Friday.

"This is the worst breach in history," Ken Stasiak, CEO of SecureState, told NBC News. "It's 2014. We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data."

Yet without a massive shift towards a credit card technology called EMV that stores data on a chip instead of a magnetic strip, it's likely that data breaches of this size and scale will continue to plague the retail industry, Chester Wisniewski, senior security adviser at Sophos, told NBC News.

Some holiday shoppers had earlier cut up their cards after Target announced on Dec. 19 that some 40 million accounts had been put at risk by a hack that stretched from before Black Friday through mid-December. When the company announced on Friday that 70 million or more people may have been affected, however, the breach soared past prior incidents like the 2007 theft of 45 million credit card numbers from the parent company of TJMaxx and Marshall's.

Seven years ago, however, these kind of massive hacks were relatively new. The third-largest retailer in the United States should have been more prepared by now, Stasiak said.

"For the sheer volume of data stolen over time, this is new world-record territory for sure," Chris Camejo, director of assessment services for NTT Com Security, told NBC News.

Malware attacks that target a company's point of sale system are becoming more common, Stasiak said, and such a high-profile case could convince other retailers to up their security. There is also the possibility that the U.S. government steps in and imposes its own payment security standards, which today are set entirely by retailers. More small businesses – where the majority of credit card breaches occur – could also commit to payment card industry (PCI) standards that require data encryption, firewalls and other measures.

But stricter standards probably wouldn't prevent massive breaches at big retailers, Wisniewski said, because they usually already have strong security protections in place. (No experts, however, could comment specifically on Target's preparedness for the attack, because the company hasn't shared many details about its privately built payments system).

Due to the degree of difficulty involved, these headline-grabbing hacks are usually custom jobs, Wisniewski said, meaning there are few security solutions that can be applied across the entire industry.

According to Wisniewski, there is only one move that would put an end to these breaches: adopting EMV standards. That means using credit and debit cards that use an encrypted chip instead of a magnetic stripe for more secure transactions. In Australia, similar measures cut the number of fraudulent credit card charges by 29 percent in 2013, according to a report from the Australia Payments Clearing Association.

The U.S. government wants retailers to start making the switch by 2015, but adoption of EMV standards means replacing nearly every payment card terminal in the United States. Smaller merchants are reluctant to foot the bill, Wisniewski said, while banks don't want to issue new EMV cards until it becomes the retail standard.

Still, it's the only thing that would really make a difference, he said.

"With EMV, in other parts of the world, we have never seen more than one credit card compromised at a time, as opposed to 40 million in one go," he said. "It changes the game."

Of course, that won't provide much comfort to Target customers who already had their information stolen. It is unlikely that both data sets stolen from Target were combined and sold together on the black markets that digital thieves prefer, said James Wester, research director of IDC Financial Insights. That is because hackers want to "sell the data as quickly as possible to make a buck," he said.

There might be some silver lining to the massive hack. According to Camejo, experts in the security industry see the sophistication of this latest attack as a sign that criminals are getting desperate.

"Security has been improving, which is why hackers have been resorting to new and novel techniques to steal data," he said. "So we're getting better, but it's still a cat-and-mouse game."

Multiple experts said consumers aren't more at risk now than they were before — they are probably just more aware of the danger, thanks to the high profile of Target. That could make for savvier shoppers.

"With every data breach that occurs, another avenue for data to be compromised is closed off," Wester said, although he cautioned that the arms race between retailers and criminals will probably never end. "As long as there is payment data that can be stolen, there will be hackers who will try to find a way in."

[alfred russel]

"This is the worst breach in history," Ken Stasiak, CEO of SecureState, told NBC News. "It's 2014. We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data."

No we don't.

[Neil]

Yeah, why would we expect them to have decent security?  It's not their credit card info.

[DontSayBanana]

"This is the worst breach in history," Ken Stasiak, CEO of SecureState, told NBC News. "It's 2014. We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data."

No we don't.

Not when dealing with heavily-standardized POS equipment, nope.  Servicing and deploying this stuff is a huge part of my job, and it's laughable how companies will bolt in standard registers and pin pads without ever adding additional security on top of the default stuff.

99% of their register security is simply designing the UI so a cashier can't access an Internet browser during normal usage.  All it takes is one hyperlink in a company intranet email to get around that.

[CountDeMoney]

[upsidedownexclamationmark]Ay, Dios mio!

Two arrested in connection with Target hack
Police say the pair, stopped at the U.S.-Mexico border, were carrying 90 fraudulent credit and debit cards

Authorities investigating the massive holiday-season hack into Target Corp.'s systems arrested two Mexicans trying to enter the U.S. in McAllen, Texas, with scores of fraudulent credit cards.

The arrests of Daniel Dominguez Guardiola and Mary Carmen Vaquera Garcia may indicate that stolen information from as many as 110 million Target customers is making its way through U.S. stores through small groups of shoppers with fraudulent cards.

Customs and Border Protection officers detained Guardiola, 28, and Garcia, 27, before turning them over to local authorities, McAllen Police Lt. Joel Morales said. Police had outstanding arrest warrants for Guardiola and Garcia alleging credit- and debit-card fraud.

The pair, both from Monterrey, Mexico, were found carrying 90 fraudulent payment cards, Morales said, and authorities eventually seized 22 more.

Morales said the connection to the Target hacking came from the U.S. Secret Service; U.S. Immigration and Customs Enforcement, or ICE; and banking institutions making cleanup efforts after the hack.

Target said last month that up to 40 million customers' credit and debit card accounts used for purchases at its stores nationwide were illegally accessed by cybercriminals from Nov. 27 to Dec. 15.

The Minneapolis company later said that hackers also may have taken the names and the home and email addresses of as many as 70 million in-store and online shoppers.

On Monday, Target spokeswoman Molly Snyder said the investigation is "active and ongoing" and referred questions about the McAllen arrests to local law enforcement.

McAllen police began receiving reports of fraudulent credit card use from local retailers last week, Morales said. Police launched an investigation, teaming up with ICE and the Secret Service.

Morales said federal law enforcement agencies are expected to file more charges against Garcia and Guardiola "in the near future." He said it was "too early" to say whether authorities are looking for more suspects.

Garcia and Guardiola are in a McAllen police holding cell and will be arraigned by Tuesday, Morales said.

Longtime security analyst Bruce Schneier said the arrests played out in a familiar way.

"It's not that we find criminals like this through cyber-forensics. We get them in the real world when they do something stupid," said Schneier, chief technology officer at cybersecurity firm Co3 Systems. "It's invariably how it works: Getting credit cards is easy. Turning it into cash is hard."

Schneier acknowledged, however, that the criminals who carried out the initial breach may not be the same ones who end up using the stolen data. Often, payment card account information is sold on the black market and used to make illegal purchases, he said.

Target is being sued by more than a dozen customers over the breach, as well as by a Seattle law firm accusing the retailer of ignoring earlier warnings about flaws in its protective systems.

Separately, Putnam Bank in Connecticut filed a federal complaint against Target alleging that the hack has resulted in "significant losses" for the bank as it reissues payment cards and reimburses customers for fraud-related losses.

"In a lot of ways, credit card fraud is irrelevant to most people because credit card companies are so efficient on making good on any damages," Schneier said.

The Target attack now appears to rank as the nation's biggest cybercrime against a single retailer. The 110 million potential victims could represent more than a third of the U.S. population.

"We're at a scale that has probably never been seen before," said Scott Mitic, senior vice president at consumer credit rating firm Equifax, said this month. "This is going to be a case study that people will talk about for another decade."

The two batches of data were stolen simultaneously but affected different sets of data and customers.

Target disclosed the theft of the first batch Dec. 19, saying cyberthieves lifted primarily financial information from people who shopped at its stores and used credit or debit cards Nov. 27 to Dec. 15. The information stolen included customer names, card numbers and a security code encrypted in cards' magnetic strips.

The second batch, disclosed Jan. 10, encompassed largely personal information such as names, addresses, phone numbers and email addresses from shoppers online or in a store over an indeterminate amount of time.

Matching personal and financial details from the two batches, experts said, could clear a path for the culprits to make fraudulent purchases, siphon money from bank accounts or steal victims' identities.

Target has promised to offer affected customers free credit monitoring and identity theft protection for one year.

Last week, cyber-intelligence firm ISight Partners said a new piece of malicious software known as Kaptoxa has "potentially infected a large number of retail information systems." The company said it was working with the U.S. Secret Service when it made the discovery.

Neiman Marcus Group said this month that its customers' credit and debit card information also was stolen, although Social Security numbers and birth dates seemed to be safe.

The upscale retailer said that online shoppers weren't affected and that it had "no knowledge of any connection" to the Target breach.

With Otto and the Secret Squirrels on the case, I expect results to result.

[KRonn]

US credit card issuers need to catch up with the newer technology. Yeah it's expensive but how much is the Target theft, plus the many others that occur daily, cost the credit card companies and retailers?

http://abcnews.go.com/blogs/business/2014/01/new-demands-for-smart-chip-credit-cards/
Will the massive security breach at Target lead to new chip technology and pin numbers for U.S. credit cards? Target CEO Gregg Steinhafel wants banks and retailers to approve changes.
In Europe and Canada cards already have smart chips installed and readers are used at retailers and restaurants, making it harder for thieves to profit from the sort of massive data breach that hit Target during the holiday shopping season.

The attack led to the theft of tens of millions of credit card numbers. Hackers appear to have stolen many phone numbers and e-mail addresses.

Despite previous calls to update U.S. cards, retailers and banks have feuded for years over card-swipe fees and the cost of making security upgrades.

"Computer networks are vital to American capitalism and society, but they remain surprisingly vulnerable to thieves and hijackers," says an editorial in today's Washington Post. The newspaper, owned by Amazon CEO Jeff Bezos, says "Congress must now get serious about cybersecurity. The private sector has much at stake but may not be able to cope on its own."

A South Texas police chief says two Mexican citizens who were arrested at the border used account information stolen during the Target security breach to buy tens of thousands of dollars' worth of merchandise. But a federal official said later there currently was no connection between the arrests and the retailer's credit card data theft.
Asked about the arrests, a Target spokeswoman said the investigation was active and ongoing. McAllen Police Chief Victor Rodriguez says the pair had used fraudulent cards containing the account information of South Texas residents to make purchases at Best Buy, Wal-Mart and Toys R Us. McAllen police began working with the Secret Service after a number of area retailers were hit with fraudulent purchases last week.

Yahoo is still America's most visited website, according to numbers from comscore.com. The report comes as Yahoo struggles to increase advertising growth. Google's search engine, AOL and Faceback all lagged behind Yahoo.
It's back to work for traders on Wall Street after the long holiday weekend. There are a slew of earnings reports due out today. Stock futures rose this morning after overnight gains on Asian markets. China's central bank pumped more credit into the system after concerns about slowing growth in the world's second largest economy.

Business is bad for Sochi games. With less than three weeks to go until the opening ceremony at the Winter Olympics, hundreds of thousands of tickets remain unsold, raising the prospect of empty seats. There are signs that many foreign fans are staying away, turned off by terrorist threats, expensive flights and hotels, long travel distances, a shortage of tourist attractions in the area, and the hassle of obtaining visas and spectator passes.
"Some people are scared it costs too much and other people are scared because of security," senior International

Olympic Committee member Gerhard Heiberg of Norway told The Associated Press. Sochi organizers announced last week that 70 percent of tickets have been sold for the games, which run from February 7-23. But it's not clear whether the remaining 30 percent of seats will be filled.