Target’s Black Friday season security mishap put a harsh spotlight on consequences of less that stone-clad data security. It also demonstrated the comparative ease with which hackers can gain access to consumer data. The attack was made possible due to a malicious software which infected Target’s point-of-sale systems, resulting in the theft of customers’ names, phone numbers, email addresses, and mailing addresses in addition to their credit and debit card numbers.
The Method of Attack
With data security a hot topic in the mainstream news thanks to revelations regarding the NSA and GCHQ surveillance of citizens, the attack couldn’t have come at a worse time for Target’s reputation. Another confounding factor: the software allegedly used to obtain the information is described as “off-the-shelf” malware. Called “BlackPOS,” the memory-scraping software is designed to capture consumer data immediately after it is gathered by the point-of-sale system.
While a publicly released statement regarding the method of infection has not been released, sources claim that BlackPOS was introduced to the system via a compromised Target Web server and installed on the POS system. The scavenged data was then deposited via a control server on Target’s internal network, to which the hackers appeared to have had constant access.
The perpetrators of the attack have not been positively identified but the ongoing investigation has revealed some telling information. BlackPOS was authored by a hacker who goes by the nickname Wagner Richard on Vkontakte.ru, a Russian social network. The malware was sold via criminal forums, and the stolen data was bundled and put up for sale on the black market.
The data stolen was more than sufficient for criminally-minded buyers to create working counterfeit credit and debit cards. At least one couple has been charged with fraud for using credit cards created with data from the Target breach. Mary Carmen Garcia and Daniel Guardiola Domenguez of Monterrey, Mexico were stopped in January after a Texas shopping spree. Investigators believe this points to the purchase of some customers’ data by Mexican criminal organizations. However, at this time there is no reason to believe that hackers could have access to the PINs from the compromised debit cards, making ATM-oriented theft unlikely. The PINs were included in theft were but were encrypted.
It’s equally unlikely that sale of the data was restricted to a single organization located in Mexico, as the availability of it on the black market means that any number of criminal organizations and individuals around the world may have gained access.
The PR Blitz
After being criticized by some for lagging in their announcement, Target launched an aggressive PR campaign to earn back the trust of its customers, contacting directly those for whom they had email addresses, offering a year of credit monitoring to affected customers, and stressing their commitment to future security.
Could the attack have been prevented? Until more is known about the security failing that led to Target’s central systems, it’s difficult to say. As a major retailer, Target would have been PCI (Payment Card Industry standard) compliant, which means it is all the more unsettling that a cheap ($1,800-$2,300) piece of software like BlackPOS was so effective. Retailers who have relied strictly on being PCI standard compliant should take note of the retail giant’s plight. Security experts maintain that PCI standards are a good foundation, but that retailers need to examine their information security programs and institute more comprehensive protection.