What happened to Target® last week is every business’ worst nightmare. We’ve received a number of inquiries regarding the incident from concerned clients and friends and wanted to share a few insights.
To date, limited information has been announced about the incident and we can expect new information to trickle out as it is discovered and becomes available. We know that on Thursday, December 19, Target announced that computer hackers stole data from approximately 40 million credit and debit cardholders from November 27 through December 15 – one of the busiest shopping times of the year. You can read Target’s statement about the breach here. Target has also set up a page on their corporate site to keep the public informed as the situation unfolds.
Speculation continues to swirl around the incident and oftentimes it can take weeks or even months for a thorough forensic investigation to be performed and uncover all of the facts.
What Can Consumers Do?
If you are a Target RedCard holder or were notified by Target that your card may have been compromised, at a minimum, you should put a fraud alert out on yourself through one of the three credit bureaus. To learn more about fraud alerts, check out Equifax’s website. They do a nice job of explaining what a fraud alert is and how they work.
Choose one of the three credit bureaus to set up a fraud alert on yourself. You will be prompted to provide sensitive personally identifiable information including but not limited to name, address, social security number and date of birth.
Additionally, you should monitor your credit card and bank accounts regularly for unusual activity. Over the weekend, Chase Bank announced limits to debit and credit card purchases in response to the event in order to limit potential fraud. They have even expanded hours to accommodate customers who need access to funds in excess of the newly imposed limits.
What Can Businesses Do?
Businesses should inspect the credit card data flows from the swipe point to the aggregation point. In past retail breaches, we have seen attackers leveraging network sniffers and memory scrapers to steal magnetic stripe data, also known as Track Data.
Businesses should ensure that not only external traffic containing magnetic stripe data (Track Data) is encrypted, but internal traffic should be encrypted too. Though this is not a PCI compliance requirement, it can prevent attackers from sniffing data as it’s transmitted from POS terminals to Back-of-House servers.
On the aggregation points (i.e. Back-of-House servers at each store or a Central Server at a corporate location) businesses should deploy an application whitelisting solution to ensure that all running processes are authorized. This would also prevent network sniffers and memory scrapers from running on these systems. These types of controls are recommended in addition to having an updated antivirus solution, as targeted POS malware is usually not detected by signature-based antivirus solutions. Furthermore, follow the Data Security Alerts and Bulletins published by Visa to learn about the latest threat vectors used by credit card hackers.
Target is not only under public scrutiny, but also under the scrutiny of many state attorneys general offices including Massachusetts, New York, South Dakota and Connecticut who are demanding answers. Target has a long road ahead in recovering from this breach – and the cost is going to be enormous, both monetary and reputational. Stay tuned for further updates. We will post them as they become available.