The scope of Target’s retail breach has crept up. Actually it has nearly tripled in the number of people affected. Initial reports stated that data for 40 million consumers was compromised – nothing to sneeze at. The next big development revealed that PIN information was also lost, though Target assures that the information was encrypted. Yesterday it was reported that data was taken for up to 110 million people. That number approaches three times the number first reported and represents at least a third of the U.S. population. This is a shining example of why it is important to allow investigators to fully assess all information available to avoid publicizing premature analyses, and also highlights the importance of transparency for businesses in sharing information that impacts their consumers and the community at large.
The increased scope of the breach is a result of Target’s update on the hack that includes tens of millions of customers whose names, mailing addresses, phone numbers and email addresses were lost, in addition to those whose compromised payment information was previously reported. While not as sensitive as credit card information, this is still data that could have tremendous value to the wrong people. The secondary customer information was reportedly stored separately from the previous 40 million customers’ credit and debit account information, which raises the possibility of a separately hacked system.
If this is the case, the implications are huge. For weeks it has been suggested that the breach required only a simple fix once discovered: sniffing, exfiltration of data through a point of sale transmission, or something even simpler. However, if a second system was compromised, the breach becomes much more serious, as the hackers may have gained elevated control, possibly impersonating some element or engineering the hack to intercept two different levels of data. Target states that there was overlap between some of the data, which could still tie the hack to point of sale terminals. At the end of the day, we don’t know all the details yet, but more clues and victims are emerging as the weeks go on.
It’s time for more information
It is frustrating for many to see Target relinquishing such small amounts of information the way it is, but the company has responded responsibly in some ways, offering fraud protection and immediately communicating directly with affected customers. Meanwhile, the security community is anxious for answers about how the hack occurred: if Target’s seemingly secure system was breached, other retailers and businesses are likely vulnerable. As legal liability and anticipated fines loom, Target is content to continue releasing information about the cyber attack only when absolutely necessary. After all, the investigation is ongoing.
Still, the slow drip of updates is reminiscent of the way the government responds to scandals: denials, followed by bits of information, investigations, lawyers, a little more information and maybe at some point, a definitive truth. Target’s reputation has taken a considerable hit, and consumer trust has been broken. Whatever the breach incident response plan has been, the retailer should favor rapid disclosure for the good of the industry, and for the sake of rebuilding the relationship with its customers. Target president and CEO Greg Steinhafel said in a statement:
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this. I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
The public wants to know more. More than merely numbers affected, type of data lost and statements that the problems “have been resolved”: consumers want to know how some of these technologies were deployed. Was there a leak in the system? Who was responsible? Is the hardware to blame? With the personal security of 110 million at stake, an apology and complimentary credit monitoring are a good start, but it’s just not enough. It’s not always about mitigating the losses.
Neiman Marcus also breached – is it connected?
In the meantime, it was reported on Brian Krebs’ security blog that upscale retailer Neiman Marcus has reported a breach that occurred in the middle of December – around the same time as the Target attack. Similar to the Target incident, the breach also only affected retail shoppers. Limited information is available; there has been no word on the scope of the breach in terms of number of consumers impacted or the duration of the vulnerability, thus, it can only speculatively be presumed that the two incidences are related. With cybercrime on the rise and a potential epidemic of retail hacks on the horizon, consumers may be comforted by one of the highlights of SiliconANGLE’s cybersecurity prediction series: the sharing of security information. Stay tuned for further updates and developments on the Neiman Marcus story.