UPDATE: On Friday, Dec. 27, 2013, Target revealed that encrypted PIN data was removed from its system during the data breach. However, the company confirmed in a press release that consumers’ debit card accounts were not compromised and all PINs are secure. This is because all files are protected by triple DES encryption, and the retailer “never had access to the encryption key required to open or read the PIN files.”
The release noted: “What this means is that the ‘key’ necessary to decrypt that data has never existed within our system and could not have been taken during the incident.”
Below is the initial article, which was published on Dec. 24, 2013.
After releasing a statement admitting that it was hit with a massive credit card breach, Target is focusing on maintaining its reputation and alleviating customer concerns.
The breach may impact consumers who used their credit or debit card to complete a purchase in a U.S. Target store between Nov. 27 and Dec. 15, 2013. Online shoppers were not affected.
Once acknowledging the breach, Target offered a series of resources and tips to protect consumers and help them address fraud cases. In its statement, the retailer shared contact information for credit report agencies, and encouraged consumers to check their payment activity on a daily basis to track and report any suspicious activity. All Target customers who may be impacted by the breach also can receive a free credit report via www.AnnualCreditReport.com.
“Target is being proactive in the public domain, while at the same time trying to maintain its momentum in the shopping season,” said Brian Kilcourse, Managing Partner at RSR Research. Banks and credit card providers “have the responsibility to notify consumers of a possible breach, and I’m sure that Target is actively engaged with the payments networks to identify those at risk.”
Additionally, Target has attempted to weather the media storm by offering customers a 10% discount on products this past Saturday and Sunday, excluding video games, gift cards and other items. The retailer has also added workers to help with the influx of calls and web site inquiries regarding the fraud situation.
Ongoing Investigation And PR Efforts
Behind the scenes, Target is addressing the issue by partnering with security forensics experts and the Secret Service to “conduct a thorough investigation of the incident and to examine additional measures we can take that would be designed to help prevent incidents of this kind in the future,” the announcement from Target noted. “Additionally, Target alerted authorities and financial institutions immediately after we discovered and confirmed the unauthorized access, and we are putting our full resources behind these efforts.”
The retailer has already been hit with lawsuits from several customers seeking millions in damages and possible class-action status. Attorneys general of at least four states — Connecticut, Massachusetts, New York and South Dakota — have requested information from Target about the lapse.
To maintain a positive public image, Target needs to “stay in front of the story and manage the message as much as possible,” said Dave Hogan, Executive Director at Heartland Payment Systems and former CIO of the National Retail Federation. “The near-term goal should be to restore customer confidence about shopping at Target for the remainder of the holiday season.”
While Target’s initiatives may help alleviate the initial blow of negative feedback from consumers and the media, up to 40 million accounts could possibly be subjected to credit card fraud, with consumers’ full names, credit and debit card numbers, expiration dates and three-digit security codes up for grabs.
In a statement, Target CEO Gregg Steinhafel noted that there is no indication that debit PIN numbers have been compromised, which means a duplicate card can not be used to withdraw cash from an ATM machine.
But new reports assert that credit and debit card data acquired during the breach is being sold online through the black market, which will potentially extend the life of the breach and increase overall fraud reports.
Uncovering The Source Of The Breach
Compared to extensive and highly sophisticated breaches like the one TJX experienced in 2007, security experts are left wondering how the Target incident occurred in the first place.
Industry experts are considering the potential sources of the breach. Some reports suggest that malware may have been planted in electronic cash registers. However, others point to the breach occurring at the corporate data center.
Kilcourse noted that for so many POS terminal devices to be affected simultaneously, “it must inevitably have been the result of software being downloaded as part of a routine procedure from the central host computers.”
However, Hogan added that the root of the breach will not to be revealed “until both the Secret Service and security forensic experts have completed their investigation and isolated cause and scope of the breach.”
With cybercrime becoming more sophisticated, data breaches will happen more frequently — and on a more grand scale — unless sufficient security is provided.
“Customer data security will never be solved because it’s a moving target,” Kilcourse said. Compliance to industry data security standards will “never be enough” as the “bad guys are relentless and ever improving. Retailers should continually work with data security experts to monitor and improve the technology that handles customer data, and particularly payment information — it must remain a corporate priority because it bears fiduciary risk.”
Kilcourse added: Compared to the major TJX breach of 2007, the Target breach is “not as big.” However, the incident “comes at a time of heightened public awareness of privacy and security concerns,” providing Target with a more urgent call-to-action to regain customer trust.
Can EMV Prevent Future Breaches?
Credit card fraudsters aim to breach retailers with a high volume of credit card data so they can create clone copies of credit cards using the data they capture from back-end systems. This form of counterfeit card fraud is “the biggest problem facing the U.S. payment industry,” according to Randy Vanderhoof, Director of the EMV Migration Forum.
“If you were a fraudster, you could take a credit card out of your wallet, and ‘rewrite’ the mag stripe with someone else’s information,” Vanderhoof said. The account information on the card may be different than the data encoded in the card, he added, and retailers “rarely” check the information on the card.
Credit and debit cards equipped with EMV chips, however, can help mitigate data theft. When an EMV card is used in a retail transaction, a dynamic security code is created. Rather than using the same three-digit number, such as the one printed on the back of all credit and debit cards, the security code for EMV cards changes with each transaction.
“Each time a card is read, the chip delivers a unique security code, which is passed through the payment processing network for authorization, checked and sent back to the retailer,” Vanderhoof said. “So if credit card information is stolen, and a thief tries to reproduce the card with the same data, it would get immediately rejected because the system would detect that the one-time code was already used.”
Although EMV seems to be the key to mitigating data breaches as large as the one Target experienced, “there hasn’t been a rush for the U.S. market to move to EMV,” Vanderhoof said. “Primarily, this is because it will be a complex and expensive process. That being said, the major payment brands have agreed it’s time for the U.S. to transition and have set dates for all financial institutions to issue EMV cards, and retailers to replace their systems with payment systems that take EMV.”
Retailers, overall, have “spent millions of dollars to make networks more secure,” Vanderhoof said. “But despite these best efforts, cyber criminals are finding ways to breach through those defenses. We need to start thinking about building higher walls to protect data and start thinking of ways to change the data itself.”