Every day,there’s another news headline highlighting a data breach at a large, well-known company. We are so used to hearing of them now that the impact has been lessened. The Target breach was different. For most people, the Target breach news struck close to home. It has been fascinating, following the unraveling of how the event occurred and how Target has responded to the breach. As much as Target would like the data breach news coverage to end, it is not going away.
The latest finding is that the Target breach likely occurred throughFazio Mechanical Services, Inc. (FSM), a refrigeration contractor in Pittsburgh that connected to Target’s systems to do electronic billing, contract submission, and project management. It now appears that they themselves were hacked by a sophisticated attack.
This new piece of information gives rise to many questions that need to be answered. For IT security organizations, here are three critical ones for consideration:
1. Did FSM really need electronic connectivity to Target’s networks?
Every situation is different, and each one needs to be judged on its own merits. However, every company needs to think very carefully before connecting anyone to their internal computer networks. A connection, by its very nature, generates additional risk. Connecting an outside company to the internal network may save money and create efficiencies, but how much can be lost if something goes sour?
Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.
At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.
Kickstarter, the fund-raising platform used by millions of people to raise capital for creative projects and businesses, said over the weekend that hackers had gained access to some of its customers’ data last week but that the breach had been repaired.
“No credit card data of any kind was accessed by hackers,” Kickstarter’s chief executive, Yancey Strickler, wrote in a blog post on Saturday on the company’s website. “There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” he wrote. The post noted that the company’s website does not store credit card data.
Recent data breaches at Target and Neiman Marcus have raised concerns among lawmakers and the public over who should bear the cost of consumer losses and how to improve security online.
The compromised Kickstarter information included user names, email addresses, mailing addresses, phone numbers and encrypted passwords, according to the company, which was informed of the breach by law enforcement officials last week.
It added that while the passwords were not revealed, people with computer expertise could still decipher encrypted passwords, and recommended that users change their passwords as well as those for other sites or accounts for which the users had the same password.
(Reuters) – A top retail trade group executive on Sunday called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.
Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc in 2009.
But the latest thefts – including attacks on Target Corp and Neiman Marcus – have involved a broad set of merchants and could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.
One sign of the change is a new enthusiasm for payment cards that store customer information on computer chips and require users to type in personal identification numbers.
Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes.
The breaches are “unfortunate but we’re not entirely surprised,” Duncan said at his organization’s annual convention now being held in New York.
“The technology that exists in cards out there is 20th-century technology and we’ve got 21st-century hackers,” he said.
Duncan said the trade group had only made its backing for the higher-security cards public since the Target breach. Banks have quietly begun to offer the cards but mainly for customers to use while traveling. Big U.S. card networks led by Visa Inc will not require the higher security until next year at the earliest.
It is not clear the new “Chip-and-PIN” cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.
Investigators believe that hackers used malware that captured data on customers from the magnetic stripes on their payment cards. Since Target’s disclosure the more upscale store chain Neiman Marcus has said it also suffered an attack, and sources have told Reuters that at least three other well-known U.S. retailers have been breached but not come forward.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman, president and chief executive, said in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Friday’s announcement is the result of an ongoing investigation into the security breach, Target said. The company is working with the Secret Service and the Department of Justice to determine who was behind the attack. Spokesmen at the Secret Service and the Justice Department declined to comment on the investigation.
Target’s problems reflect a crisis in how customer data is protected, analysts said.
“It’s a little frightening. These bad guys are getting into some of the most secure retailers’ networks, and I’m sure it’s not going to stop at Target,” Litan said. “We need a fundamentally different paradigm here for how we manage security.”
But, with few details emerging about how the crime against Target was committed, it’s hard to say what solutions could have prevented this particular breach.
Shoppers whose personal and financial data was stolen — the exact number is unclear — are at higher risk of falling victim to scams or having their information misused. Target said the two types of data are not linked within its system.
But consumer advocates point to the fact that Target is an industry leader at data mining, the practice of analyzing customers’ information to find out more about their preferences and shopping habits.
“That makes this breach all the more frightening,” said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, an advocacy group. The volume of information Target has on its customers raised the stakes, he said.
Experts said that with names and mailing addresses, thieves can use the credit cards for online purchases that require that information. On top of that, they can try to trick people into providing even more sensitive information, such as Social Security numbers, or hack into their computers.
The company said it doesn’t know how many customers have found fraudulent charges on their credit or debit cards, but individual stories and lawsuits are beginning to crop up across the country.
A California shopper filed a lawsuit against Target last month and hopes to include other shoppers in a class-action case. Last week, a credit union in Alabama also took action against Target, seeking compensation for costs that would arise from issuing customers new cards, as well as any fraudulent charges
Neiman Marcus confirmed Saturday that its customers are at risk after hackers breached the Dallas company’s servers and accessed the payment information of those who visited its stores.
The firm has offered few concrete details about the scope of the attack, such as what data were taken or how many customers may be at risk. Nor did it say whether data from any of the other retailers it operates — including Bergdorf Goodman, Horchow, Cusp and Last Call — were affected. In a statement, Neiman Marcus said it was informed of the breach in mid-December by its credit card processor and subsequently informed law enforcement officials, including the Secret Service. The company is taking steps to contain the breach and has “taken significant steps to further enhance information security,” the statement said.
Neiman Marcus spokeswoman Ginger Reeder declined to provide further information on the attack. A spokesman for the Secret Service also declined to comment.
The company apologized to its customers for the breach through messages on its Twitter feed and said that it is working to notify those whose cards were used fraudulently after visits to Neiman Marcus stores.
(Reuters) – The Syrian Electronic Army, an amorphous hacker collective that supports Syrian President Bashar al-Assad, claimed credit on Wednesday for hacking into the social media accounts of Internet calling service Skype.
The group also posted the contact information of Steve Ballmer, Microsoft Corp’s retiring chief executive, on its Twitter account along with the message, “You can thank Microsoft for monitoring your accounts/emails using this details. #SEA”
That message was an apparent reference to revelations last year by former National Security Agency contractor Edward Snowden that Skype, which is owned by Microsoft, was part of the NSA’s program to monitor communications through some of the biggest U.S. Internet companies.
A message posted on Skype’s official Twitter feed on Wednesday, apparently by the hacking group, read: “Don’t use Microsoft emails (hotmail, outlook), They are monitoring your accounts and selling the data to the governments. More details soon. #SEA”
Similar messages were posted on Skype’s official Facebook pages and on a blog on its website before being taken down in late afternoon. The SEA later tweeted out copies of the message “for those who missed it.”