Target Breach: New Questions RaisedWere More Servers, Website Compromised in Malware Attack?
Target Corp.'s revelation that personal information about up to 70 million customers was exposed in a recent breach, in addition to as many as 40 million debit and credit card numbers, raises more questions about the Target's security practices and risks to consumers (see Target Breach: 70 Million Affected).
Experts question how personally identifiable information and card data could have been exposed during the same malware attack; and now new concerns are circulating about how the breach of this data could impact the scope of the actual compromise.
John Buzzard, who heads up FICO's Card Alert Service, says the exposure of personal data could mean Target's website was compromised. As the forensics investigation continues, he says, Target may discover that more servers and files were breached than originally surmised.
A banking executive in the Midwest, who asked to remain anonymous, worries that banking institution routing numbers and even checking account numbers might also have been breached. If Target's website was breached, this source questions what other information linked to customer accounts, beyond PII, could have been exposed.
"All reports are saying POS malware [was involved]," the executive says. "Was it another, more powerful, malware attack? ... Educating everyone right about now, from the CEO to consumer, is critical. Whether you shopped at Target or not, you can still be a victim."
The exposure of e-mail addresses, phone numbers and mailing addresses now linked to the Target attack doesn't necessarily increase the risk of identity theft and phishing, says Al Pascual, a financial fraud analyst for consultancy Javelin Strategy & Research.
The PII associated with the Target breach could easily have been found anywhere online, he notes. "Given Target's popularity, criminals wouldn't need a list to reach Target shoppers, as any mass e-mail campaign designed to play on consumer fears around the Target breach would probably be pretty successful, even if the e-mails were sent to random addresses," Pascual says.
"The far greater threat is that of fraud on the compromised cards," he adds. "While we have seen some fraud occurring on those cards, it is likely to continue for some time, so consumers and their banks need to remain vigilant."
But Buzzard of FICO says fraud linked to the cards exposed in the Target breach has been minimal in recent weeks, suggesting the attackers and/or those who have purchased the compromised numbers in underground forums are just waiting for the right moment to strike.
Exposure of PINs
"According to sources of IntelCrawler, there is an active group of Eastern European cybercriminals who specializes in attacks on merchants and point-of-sale terminals by using sophisticated malware and targeted perimeter attacks," the blog states. "The recent request by the underground to decrypt PIN data ... may be co-incidental to the Target breach or possibly some of the actual perpetrators floating the sample to see what resources and success the power of the underground has had or could have given the magnitude and value of the target breach."
But Avivah Litan, a financial fraud expert who is an analyst for the consultancy Gartner, says the PINs and numbers that are cropping up in underground forums are linked to attacks beyond Target.
"I hear there are other retailers impacted by this latest round of malware, and that the malware was being tested at various other retailers before the Target breach," she says. "I think there are widespread targeted attacks against the U.S. retailers - and certainly the bad guys are not just after card data, but any data they can get their hands on to perpetrate crimes. With this latest data revealed (name, e-mail, phone, etc.), they can use it to perpetrate social engineering ploys against consumers - call or e-mail them in attempts to extract more information from them before committing high-stakes financial fraud."