Ride the Lightning

The Target Data Breach: How It Happened

December 23, 2013

One of the best sources for information on the Target data breach is one of my favorite resources, Krebs on Security (hat tip to Dave Ries for pointing me there). You'll need to scroll down to get all the stories on the Target breach (or if you're looking at this point long after the fact, do a search on the blog). And USA Today has an article today on the three class action suits that have been filed in the wake of the breach.

Some of the key reported facts in this horror story:

• It appears that approximately 40 million credit and debit card accounts may have been compromised
• The breach took place between November27-December 15 (Happy holidays!)
• The breach affected stores nationwide but not those who shopped Target online
• As Brian Krebs noted, "Credit and debit card accounts stolen in (the Target breach) … have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card."
• It is not clear when Target knew of the breach, which is the second largest in history (TJX in 2005 was the largest)
• The FBI is investigating (no surprise)
• The breach involved the theft of data contained on the magnetic stripe of the credit and debit cards

It remains for the courts to determine whether Target will be held responsible for the breach. It is offering free credit monitoring. It is worth noting the words of Mallory Duncan, general counsel of The National Retail Federation: "We are using 20th century cards against 21st century hackers." In the U.S., most account info is contained on the magnetic strip on the card's back and is easily replicated. In the rest of the world, most cards contain digital chips that create a unique code, not easily copied, every time the card is used.

I am guessing that the new year will bring a rush (a bit late) to manufacturing the 21st century cards.

http://twitter.com/sharonnelsonesq