×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target Admits Data Breach May Have Up To 110 Million Victims

timothy posted about 3 months ago | from the ok-this-time-try-20-percent-off dept.

Businesses 213

Nerval's Lobster writes "Retail giant Target continues to drastically downplay the impact of the massive data breach it suffered during December, even while admitting the number of customers affected is nearly twice as large as it had previously estimated. Target admitted today the massive data breach it suffered during the Christmas shopping season was more than twice as large and far more serious than previously disclosed. A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million, and that the data stolen included emails, phone numbers, street addresses and other information absent from the stolen transactional data that netted thieves 40 million debit- and credit-card numbers and PINs. 'As part of Target's ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach' according to Target's statement. 'This theft is not a new breach, but was uncovered as part of the ongoing investigation.' The new revelation does represent a new breach, however, or at least the breach of an unrelated system during the period covered during the same attack, according to the few details Target has released. Most analysts and news outlets have blamed the breach on either the security of Target's Windows-based Point-of-Sale systems or the company's failure to fulfill its security obligations under the Payment Card Industry Data Security Standard (PCI DSS)."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

213 comments

I have to get better sources apparently... (0)

Anonymous Coward | about 3 months ago | (#45923281)

...because I thought I read somewhere that they only grabbed PINs. So they *DID* get hold of actual credit card numbers? If so, yes, that's pretty bad... I always thought that if they ONLY had PINs, then it wasn't too terrible, at least not as bad as having the actual credit card numbers.

Re:I have to get better sources apparently... (5, Informative)

Anonymous Coward | about 3 months ago | (#45923655)

They got mag stripe data which allows them to print copies of the cards. The PINs were supposedly encrypted with 3DES (which isn't exactly robust) though Target has been less than forthcoming about any real details so I don't trust their claims. And if the one-time keys were sent to the PIN pads with each transaction, and the hackers were sniffing network traffic (which is what I suspect for them to have gotten every part of every CC/DC transaction), then they got the keys on their way into the PIN pads and the encrypted PINs on the way out.

The additional customer records (some of which I assume overlap the RedCard holders whose CC's were nabbed in the first breach announcement) may be from target.com, or from RedCard applicants (approved and denied), or the gift registry and maybe even the pharmacy.

We haven't seen the end of this yet. And Target will be dealing with the legal, regulatory and civil fallout from this for years. Talk about flushing away hundreds of millions of dollars.

Target needs to be sued (1)

Anonymous Coward | about 3 months ago | (#45923291)

By the major credit card companies for gross negligence and conspiracy for fraud.

Re:Target needs to be sued (3, Insightful)

Mashiki (184564) | about 3 months ago | (#45923381)

Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?

Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Re:Target needs to be sued (0)

Anonymous Coward | about 3 months ago | (#45923437)

I think the fraud outrage is driven by the storage of that much personal financial information. I can't see any reason why they would store that information at all once the charge clears your account... unless the theft happened in real time.

Re:Target needs to be sued (1)

bloodhawk (813939) | about 3 months ago | (#45923505)

Stupidity does not equal fraud

Re:Target needs to be sued (0)

Anonymous Coward | about 3 months ago | (#45923593)

and the stupidity isn't entirely target corp's either.. what about all the vendors and contractors that supplied the hardware and much of the software that they use?

Re:Target needs to be sued (-1)

Anonymous Coward | about 3 months ago | (#45923667)

Black does not equal nigger. But there is a great deal of overlap!

Re:Target needs to be sued (1)

mysidia (191772) | about 3 months ago | (#45924089)

Stupidity does not equal fraud

No, but the above poster may be attempting to make an argument for shared guilt. That Target's negligence was so severe that it facilitated frauds which other actors will be committing, to the point of "aiding and abetting" the criminals who stole the numbers and other data and are in the process of hoc'ing them for fraudulent use.

Re:Target needs to be sued (0)

Anonymous Coward | about 3 months ago | (#45924281)

that qualifies as negligence not fraud or aiding and abetting

Re:Target needs to be sued (3, Interesting)

pcwhalen (230935) | about 3 months ago | (#45923519)

In the period of time between Black Friday and Dec. 17, when Target says this all went down, if they were open 12 hours a day, that's one card every 3 seconds.

Oh, wait. that was when they claimed it was 40 million names.

No way this was real time. Target must have been data mining.

Re:Target needs to be sued (0)

Anonymous Coward | about 3 months ago | (#45923709)

No way this was real time. Target must have been data mining.

Target stores the CC#/DC# - presumably as a hash - to track return customers. If I use my DC at Target I often get coupons at the register for items I've purchased in the past but have not purchased with my DC recently.

In order for Target to generate a hash of my DC they need to have it in plain text at some point, which would mean the exposure was in real time. If they stored it but didn't bother hashing it all they probably would have exposed more than 40 million cards.

This is all speculation based on trusting what Target has claimed (which may or may not be worth the RedCard it's printed on).

Re:Target needs to be sued (2, Informative)

LordKronos (470910) | about 3 months ago | (#45923717)

Not sure how you figured that. Target has 1921 stores, and is generally open 14 hours per day for the holiday season (8am-10pm). 40 milllion spread across that and over 19 days comes to 1 transaction every 46 seconds
Awesome work with the math. But let me give you one tiny bit of info you might have missed. Did you realize Target is more than 1 store? Actually, 1921 stores to be exact. So that's (lets round up) 20823 per store. Spread over 19 days, that's 1096 per store per day. The stores are open probably closer to an average of 14 hours a day for the holiday season. So that's 78 per hour, or one transaction every 46 seconds. Somehow I think they can manage a bit more than that. Even if you factor in that not every transaction is a credit/debit transaction, I think it's still very believable.

Re:Target needs to be sued (1)

Anonymous Coward | about 3 months ago | (#45923563)

Negligence perhaps, but where's the conspiracy that applies to fraud? Are you saying that target is the benefactor of the said breech?

Really, the companies in the states are just starting to roll out chip&pin like the rest of the world, while not a perfect system by any stretch, it's a hell of a lot better than magstrip only. If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.

Re:Target needs to be sued (1)

Mashiki (184564) | about 3 months ago | (#45923821)

Please stop contributing to this abuse of the word "benefactor." A benefactor is one who gives. A beneficiary is someone who gains.

That much is obvious, so again where is Target the benefactor in the said breech? Where did they *give* something that facilitated the theft of the data that contributed to fraud.

Re:Target needs to be sued (1)

aviators99 (895782) | about 3 months ago | (#45923679)

They don't need to be sued. Their merchant agreements make them liable for fraudulent charges and a fee for each card that has to be reissued. It will be in the billions, for sure.

Re:Target needs to be sued (0)

Anonymous Coward | about 3 months ago | (#45923779)

If you're going to go negligence, I'd start right at the top with the CC companies who've been dragging their feet for the last 5 years.

Only 5 years? Are you new to IT?

Re:Target needs to be sued (1)

Mashiki (184564) | about 3 months ago | (#45923849)

Only 5 years? Are you new to IT?

Only of the last 18 years or so...and that's saying something. So in Canada we rolled out chip&pin over 5 years ago converting everything(it's been available a bit longer than that). CC companies in the US have been dragging their feet over it for the last 5 years.

Re:Target needs to be sued (2)

beanpoppa (1305757) | about 3 months ago | (#45923831)

I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.

Re:Target needs to be sued (2)

Fnord666 (889225) | about 3 months ago | (#45924441)

I think the US card companies are actually going backwards. The Amex Blue card that I got 4 years ago had an RFID chip in it. The replacement I just received upon its expiration no longer has a chip.

I got one when they first came out. It even came with a card interface to hook it up to your computer. They were trying their own thing if I recall, not EMV. They had a lot of grand plans for it, but they never actually did anything with it.

Re:Target needs to be sued (1)

Charliemopps (1157495) | about 3 months ago | (#45924355)

They saved money by telling their customers that they were PCI compliant and they really weren't. Fraud.

Re:Target needs to be sued (1)

gweihir (88907) | about 3 months ago | (#45924407)

It is not a benefactor of the breach. But it is a benefactor of lowering investment into IT security far below what was reasonable. (Or it was rather. Not they are paying for that stupidity...)

Re:Target needs to be sued (5, Insightful)

Waffle Iron (339739) | about 3 months ago | (#45923471)

By the major credit card companies for gross negligence and conspiracy for fraud.

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

The only piece of sensitive info used during a credit card transaction should be a private key that stays inside in a tamper-resistant chip embedded inside my credit card. Everything else should be encrypted, and not even seen by parties such as waiters or Target.

Re:Target needs to be sued (1)

BringsApples (3418089) | about 3 months ago | (#45923785)

Credit and debt go hand in hand. It's the American dream, in reality. You have a card where you are able to spend money that not only do you not have, but doesn't exist at all. Once enough people are in debt to that system, then money (debt) prints itself. It's the American dreamers that make this possible. Hell, the credit card companies don't even give a shit about theft anymore. They're doing to you, what you originally tried to do to them - have money that doesn't even exist. Except, for them, there are legal benefits to being on their side of the game. And rather than money, they live/exist off of debt.

Don't forget that all money that's printed, represents a debt. In this way, the credit card companies (basically the elite) live off of debt, not money.

Re:Target needs to be sued (4, Interesting)

beanpoppa (1305757) | about 3 months ago | (#45923877)

Not sure why you think credit card companies don't care about fraud. They invest a lot in systems that study CC usage to flag transactions for possible fraud. In the last year, I've had 3 situations where a transaction has been declined until I contact the CC to verify that they are legitimate transactions. You might not feel that they do enough, but they certainly have an effort. There is just a point of diminishing returns where they've decided that it's not worth the extra effort to get fraud down below a certain level.

Re:Target needs to be sued (4, Interesting)

BringsApples (3418089) | about 3 months ago | (#45924141)

Well, point taken. But not long ago, a friend's card was stolen, so he cancelled it. The next month, he got a bill from the credit card company. It appeared that the thief went and filled up his gas-tank, as well as either a buddy's, or a boat or something, 3 Fridays in a row, same gas station, roughly same time of the day. The credit card company assured him that he wasn't expected to pay, and that they'd cancelled the card. next month, same thing, roughly same amount, roughly same time, same day (Friday) same gas station. Again he called, same response - "no worries". Next month, same thing. Finally he told them, "He look, this guy's going to be there next Friday at about [whatever time it was], why not just have the cops waiting? They basically told him that sometimes it takes a while before the gas station pumps are capable of registering that the card is bad/cancelled, and that there was no need to alert the police.

To me, this is an indicator that they don't care. I mean, that card was their property, and they knew that it was being used illegally, and yet they didn't want to get the police involved. I mean, it's not a shit-ton of money, maybe $400/month, but for 3 months? Of course, this may just be a 'bug' in their system, to do with gas tanks specifically, and maybe now that bug is fixed. But the people that he spoke with on the phone never had a doubt in their minds as to what to tell him. They never had to ask a manager, or anything like that. As though that type of thing happens a lot, and they knew how to 'handle' it.

Re:Target needs to be sued (1)

JLennox (942693) | about 3 months ago | (#45924459)

Have the police at the station asking to see the name on the credit card people are swiping?

I'm not sure we allow that, for good reason.

Re:Target needs to be sued (1)

nwf (25607) | about 3 months ago | (#45923793)

This is probably the only way it will happen. Well, more realistically congress will pass a law requiring some poorly thought-up "fixes" and after several iterations of failure, we'll end up with Europe does. You can't secure a completely insecure system with bandaids, duct tape and PCI (which is nothing more than a liability deferral instrument.) This is going to become more and more common. Frankly, I'm surprised we don't have a report like this every other month.

Bank routing number and account numbers printed on checks is even worse, though. Writing a check with an amount isn't much more secure than leaving the amount field blank.

Re:Target needs to be sued (0)

Anonymous Coward | about 3 months ago | (#45923959)

A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

Who cares? Its the bank's money not mine. I don't know of a single person that has been held liable for the insecurity of credit cards. I would NEVER trust the security or lack thereof in a credit card. The number is also in plaintext on the easily reprogrammable magnetic stripe on the back. Its the credit card companies that have weighed the cost/benefit analysis on the security of credit cards not the individuals.

Re:Target needs to be sued (1)

Waffle Iron (339739) | about 3 months ago | (#45924171)

Who cares? Its the bank's money not mine. I don't know of a single person that has been held liable for the insecurity of credit cards.

Fixing the problem involves time and stress on the part of the customer. Time and stress are money to me.

I would NEVER trust the security or lack thereof in a credit card. The number is also in plaintext on the easily reprogrammable magnetic stripe on the back.

The magnetic strip is just as idiotic as the embossed number. A non-idiotic system would only use tamper-resistent chips and encryption, as I originally stated. While probably not impossible to hack, it would be orders of magnitude harder than current US cards. More importantly, two-bit merchants like Target would no longer be able siphon of transaction-enabling cleartext data throught their vulnerable systems.

Its the credit card companies that have weighed the cost/benefit analysis on the security of credit cards not the individuals.

Hence, as I mentioned, the need for them to get soundly sued by everyone who has been affected by this breach. The credit companies are in sore need of a major attitude adjustment.

Re:Target needs to be sued (1)

Artifakt (700173) | about 3 months ago | (#45924325)

Some 'tiny little portion' of my taxes were spent recently in bailing out some banks. Enough credit card fraud, and I'm totally confident the 'too big to fail' bunch will be back at the public trough asking for more of my taxes soon. At least a good chunk of the money these banks are risking now is tax money they got in the bailout, not their own money. It doesn't matter if I trust the card system, or even have a credit card at all. So, do you pay taxes? If so, why don't you care?

Re:Target needs to be sued (1)

Fnord666 (889225) | about 3 months ago | (#45924473)

No, the major credit card companies need to be sued by the entire US population for setting up the entire credit card processing system in this nation to be a sick a security joke. A plaintext number embossed on a plastic card available for every restaurant waiter to jot down? Give me a break.

Exactly right. Until those responsible for designing/implementing the system are held liable for its failure, nothing is going to change. Unfortunately the CC companies have very deep pockets and can stash a lot of legislators in them so don't expect any legislative shift in liability any time soon. Any significant change will have to come from the Judicial branch through civil suits or from the people themselves.

I wonder what would happen if everyone cut up their credit cards and just started paying cash for things? Maybe we could start with a campaign to get people to pay cash on Tuesdays? Just one day a week to get things rolling.

Re:Target needs to be sued (1)

EvilSS (557649) | about 3 months ago | (#45924271)

PCI compliance is involved, so no lawsuit is required. The PCI fines (levied by the PCI Scurity Standards Council, and Target is contractually obligated to pay) are $90 per account. Do the math on that for a second.

Now I'm sure there will be some negotiating going on but still, it's probably going to be a really big check they end up writing.

Wait.... What?! (2)

Lukano (50323) | about 3 months ago | (#45923295)

Target just managed to 'Oh... our bad, a bunch of other systems and avenues were also hacked.... well before the system(s) we're talking about now were hacked.....'... and this isn't a bigger deal?

Contradict me if I'm wrong, but are they not talking out of the side of their mouths to say that they'd been breached earlier, and only knew it now / only divulged it now?

That's the whole country (5, Interesting)

TrumpetPower! (190615) | about 3 months ago | (#45923331)

According to the Census Bureau [census.gov] , there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place? But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.

Cheers,

b&

Re:That's the whole country (2)

rmdingler (1955220) | about 3 months ago | (#45923411)

Well, there were significant breeches in the Canadian Targets, IIRC, so I suspect we're talking about multiple nationalities credit data.

Re:That's the whole country (0)

Anonymous Coward | about 3 months ago | (#45923529)

Target continues to insist that Canadian stores / customers were not affected. Given the recent disclosures I don't believe them, but cannot find any source that doesn't simply parrot the Target spokespeople. Do you know where you heard about the Canadian breeches? Thanks

Re:That's the whole country (1)

rueger (210566) | about 3 months ago | (#45923605)

You're right in suggesting that Canadians almost certainly also had their data stolen.

Aside from that, one correction. This story deals with security breaches.

These are Canadian breeches. [rcmp-grc.gc.ca]

Re:That's the whole country (1)

goodmanj (234846) | about 3 months ago | (#45923987)

Meh. Canada is, in this as in most other things, negligible. (Sorry, guys. You know I love you but there's just not enough of you to make a difference.) Target really just opened in Canada this year, and their retail sales there amount to less than 1% of their total business.

Re:That's the whole country (1)

psithurism (1642461) | about 3 months ago | (#45923413)

Snowden revelations

Hmm, have the stolen credit cards used or are they just sitting in a warehouse somewhere? Maybe the NSA is relevant to the current story?

I'm just asking questions!

Re:That's the whole country (0)

Anonymous Coward | about 3 months ago | (#45923443)

I don't think it's reasonable to assume that one household has no more than one buyer at Target (I'm not sure what the actual conversion rate would be, though). They also have locations in Canada and India. Not sure how extensive their India operations are (and also not sure if this breach extends to Indian customers).

Still I don't doubt that it's effectively their entire database.

Re:That's the whole country (1)

Anonymous Coward | about 3 months ago | (#45923561)

For what it's worth, the population of the US as of 2012 is roughly 314 million. Target lost a fuckton of card information.

Re:That's the whole country (-1)

Anonymous Coward | about 3 months ago | (#45923733)

The NSA should have records of all this data transfer. Bluntly unless they are in cohoots with the criminals or the criminals are the NSA where in the hell is this massive dragnet and when does it capture the culprit? This is proof in any case that the NSA is
(1) Worthless for stopping computer crime
(2) Worthless for protecting US Citizens or businesses
(3) a clear and present danger to the freedom and safety of the USA.

Re:That's the whole country (1, Troll)

girlintraining (1395911) | about 3 months ago | (#45923809)

According to the Census Bureau, there're about 115 million households in the US. Target has basically admitted that the theft amounts to their entire database.

*facepalm* A household is not the same as an individual. And most people own not one card, but an average of about 3.7. Currently, over 391 million credit card accounts exist in the United States. 115 million equals 29.4% of that. Further, I don't know what you consider "their entire database", since the census bureau tracks the number of households and other population data, not the number of valid credit card numbers Target has. But let's not quibble over details...

I'd like to think that this would mean the end of the credit reporting rackets; how can anybody even pretend any more that that data is meaningful when this sort of fraud is taking place?

Yes, let's just give up and go back to checks -- nobody ever committed fraud with those! Oh wait, they did? Umm, how about just cash transactions? Damn! Foiled again. Umm, gold? Wait, you can fake gold? How about the barter system? They got to that too? I guess I'll just have to move into the mountains, far away from any other person, and live off the land like our ancestors did, forsaking all advancements of civilization.

Or I could come up with some kind of social framework, something with a nice ring to it, like the Rule of Law. Sounds impressive. Let's go with that.

But I also wanted to think that the Snowden revelations would have meant the end of the NSA, so clearly I'm not somebody anybody is paying or should pay attention to.

You know, mentioning Snowden or the NSA in any reference to civil liberties or privacy should invoke some kind of response similar to Godwin'ing a thread. "You know who else liked data breaches..." Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people. It's like saying Microsoft develops software is a revelation. And no, the NSA didn't just implode because some cheeky twenty-something dropped drawers and mooned them, anymore than Target's going to simply shutter up and crawl into a corner to die quietly in retail exile.

It may be exceedingly inconvenient that people can say and do stupid things with such regularity and suffer no long-term effects but that's about it. If you're expressing surprise or admonishment over this state of affairs, you clearly need to get out more.

Re:That's the whole country (4, Insightful)

TheGratefulNet (143330) | about 3 months ago | (#45923897)

Snowden didn't have any "revelations". The revelations were that there's a spy agency that (wait for it) spies on people.

I normally like and agree with your posts, but here you are pretty far off-base.

what snowden taught us is that the nsa is totally out of control and going WAY beyond their charter.

yes, that is information we did not have before and its powerful information.

Re:That's the whole country (3, Insightful)

Jeremi (14640) | about 3 months ago | (#45924159)

Yes, let's just give up and go back to checks -- nobody ever committed fraud with those!

I like a reductio ad absurdum as much as the next guy, but I think a better response would be to forward to something more secure. I'm sure you or any other Slashdotter could think of something clever, but at the very least we could do what every other country does and put security chips in the credit cards. [wikipedia.org]

JFC (1)

rmdingler (1955220) | about 3 months ago | (#45923339)

Are you kidding me.?.?. it's like a five-year-old lying about something he did, letting the truth slip out a little bit at a time.

Re:JFC (0)

Anonymous Coward | about 3 months ago | (#45923361)

Just like the NSA lying about the scale of it's spying until they were forced, time after time, to admit the truth.

It's easy to see what role model Target are using...

(After all, if it's good enough for Government, it's good enough for them.) :-(

Credit cards need overhaul (0)

Anonymous Coward | about 3 months ago | (#45923343)

Validating a purchase with a single number is an outdated concept.

It's an inside job. (1)

Anonymous Coward | about 3 months ago | (#45923355)

I worked on these systems and they are are all internal: POS to store server to regional server. If it was exposed to the internet, someone went out of their way to be stupid or to steal.

Any malware on the system was brought to it by key drive or by the Internet connection that nobody knew about.

This is NOT some dipshit script kiddie - this is an employee who wanted to do harm and get rich.

target messes with there employees and does not OT (2)

Joe_Dragon (2206452) | about 3 months ago | (#45923483)

target messes with there employees and does not pay OT

http://www.huffingtonpost.com/2011/10/17/target-manager-fired-lunch-break_n_1016100.html [huffingtonpost.com]

Re:target messes with there employees and does not (2)

nwf (25607) | about 3 months ago | (#45923813)

If they are paying their IT staff $10/hr, then I'd expect nothing less. However, I doubt that. The IT staff are probably mostly salaried, which means no OT.

Re:It's an inside job. (1)

mysidia (191772) | about 3 months ago | (#45924123)

If it was exposed to the internet, someone went out of their way to be stupid or to steal.

Must apply Hanlon's razor here. Someone probably did something stupid. Without evidence to the contrary; it could just as easily be a UIT (Unintentional Insider Threat), as an Intended Insider Attack.

Lots of class actions (1, Interesting)

pcwhalen (230935) | about 3 months ago | (#45923357)

I'm a plaintiff's attorney and I filed before Christmas. Lots of other firms out there with lots of other cases.

Target should have had at least had one sys admin to see that kind of data bump crossing their network while the breach occurred. They advertise for techs that can use Hadoop. They have to understand something about data and bandwidth with 100 million names in a database.

With that amount of data crossing the servers, shouldn't someone seen something?

There's more. Write me if you want info about mine or other cases. target at paulwhalen dot com

[nothing within this post shall be considered a legal opinion, solicitation or attorney advertising]

Re:Lots of class actions (1)

msmonroe (2511262) | about 3 months ago | (#45923527)

Paul you should probably spend some money to update your web site. ; )
That comment being out of the way.
It had to have taken some time to transfer the data, it would seem like there would be plenty of time to catch what was going on.
All seems pretty negligent. Are the banks going to sue them, after all don't the banks become liable for Targets actions at the end of the day, correct?

Re:Lots of class actions (2)

pcwhalen (230935) | about 3 months ago | (#45923603)

Web site overdue for an update? Guilty. On my to do list for years [and probably years from now].

Krebs On Security [http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/] says Target was informed of the breach by Visa and Master Card. Target wouldn't have caught it as soon as they did unless they were told.

Negligent? Er, uh, yup.

But banks and credit card companies don't sue vendors, their customers. If they did, they would lose customers. Thus, they eat the losses.

It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs.

[See? Lousy HTML skills. Sorry.]

Re:Lots of class actions (1)

Hamsterdan (815291) | about 3 months ago | (#45923943)

"It's the person who just got $900 from their debit card spent fraudulently online that spends hours upon hours plugging the holes and righting the wrongs."

Right on. I've had a 200$ fraud in my account just before the holidays. Royal Bank Of Canada can't access the ATM cameras (they tell me it's not one of theirs). Their argument is since they can't prove it was somebody else using the card, *I* have to eat the losses. Great, and all that time I thought people were innocent until proven guilty in that country.

Re:Lots of class actions (2)

bloodhawk (813939) | about 3 months ago | (#45923573)

that isn't actually a lot of data size wise, especially if stolen over a period of time, and no it would be unusual to spot it leaving the network. The data has to be properly secured, trying to detect data leaving your network would be a near impossible task. Don't get me wrong Target have majorly fucked up but your expectations of where this should have been detected are dead wrong.

Re:Lots of class actions (1)

pcwhalen (230935) | about 3 months ago | (#45923619)

You may well be correct and I should not have conjectured. Truly, I have never run Hadoop or any relational data set of any size. Maybe it's something that wouldn't make a dent in bandwidth or come up on some sys admin's radar.

It is indeed more the question that the data wasn't properly secured that allowed for the loss.

That's a lot of data, though....

Re:Lots of class actions (0)

Anonymous Coward | about 3 months ago | (#45923731)

when dealing with huge datasets, cubes and technologies like hadoop it is easy to be dealing with network flows in the 100's of terabytes on a daily basis. actual raw data for a 100 million people is a drop in the ocean by comparison.

Re:Lots of class actions (0)

Anonymous Coward | about 3 months ago | (#45924109)

when dealing with huge datasets, cubes and technologies like hadoop it is easy to be dealing with network flows in the 100's of terabytes on a daily basis. actual raw data for a 100 million people is a drop in the ocean by comparison.

Maybe they're seeing 100's of terabytes flow across their INTERNAL network but I'd bet the amount of data sent out to the internet from the breach caused some sort of anomalous traffic.

Re:Lots of class actions (1)

queazocotal (915608) | about 3 months ago | (#45924299)

Name, CC number and details, ...
This will - minimally at least - compress to about 100 bytes per record.

5 or 10GB is not a lot of data any more.

Re:Lots of class actions (1)

nwf (25607) | about 3 months ago | (#45923837)

That's a lot of data, though....

It's bet it's less than 1% of what traverses their network every day. If they are using hadoop for marketing purposes, I'd guess all the CC information for every account in the US is a drop in the bucket in comparison. I'd further bet it compresses well, as does most text, making it the size of a few nice digital pictures of cats.

Re:Lots of class actions (1)

bloodhawk (813939) | about 3 months ago | (#45923895)

That's a lot of data, though....

In data warehouse terms it isn't actually a lot of data at all. I would imagine their data storage would be in the multi petabyte range. a couple of hundred gig could traverse the network in a very short period of time and not even register as an unusually large amount of data.

Re: Lots of class actions (0)

Anonymous Coward | about 3 months ago | (#45924267)

Their DLP for DIM should have caught it unless it was encrypted leaving the network. If they had encrypted data leaving the network that they weren't monitoring they were negligent.

This reeks of an inside job. Someone targeted those POS using a mechanism, likely SCCM. They also got a second unrelated database.

Was the mag stripe data stored? That's a crime in Minnesota and Target lost that data.

WTF Target?? (0)

Anonymous Coward | about 3 months ago | (#45923397)

OK, H U G E data breach. Who is on that 110MM customer list? Are you planning to notify EVERYONE whose data was stolen? You had better get down and funky and fast and notify EVERYONE.

I was immunized by a 3-year-old! (0)

Anonymous Coward | about 3 months ago | (#45923465)

Early in the year I was babysitting a friend's 3-year-old when I opened my wallet and she fell in love with my Mickey Mouse debit card. This past August I had my bank change the number and give me a new card so I could give her my old card.

I rarely go to Target, and haven't been since well before August. So I was, in effect, immunized by a 3-year-old's love of Mickey Mouse.

Err, /. may now resume bashing Target...

They declined me ... (4, Interesting)

TrollstonButterbeans (2914995) | about 3 months ago | (#45923479)

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

Re:They declined me ... (0)

Anonymous Coward | about 3 months ago | (#45923531)

You'll get a letter in about 3-4 months saying something like "insufficient credit history". Because you need credit history to get credit, which prevents you from getting credit history. Try American Express; they tend to be really good about accepting documentation of employment and income in lieu of credit history.

Re:They declined me ... (1)

mysidia (191772) | about 3 months ago | (#45924131)

You'll get a letter in about 3-4 months saying something like "insufficient credit history". Because you need credit history to get credit

There's a circularity issue there. If you can't send in an application and get credit without credit history, then nobody should have credit....

Re:They declined me ... (0)

Anonymous Coward | about 3 months ago | (#45923583)

Except that if you filled out a credit application, they could have all of your personal information.

Re:They declined me ... (1)

nwf (25607) | about 3 months ago | (#45923855)

Target declined me for a credit card in August and wouldn't tell me why either and I still don't know, so I guess that was a "Good Thing".

[True story!]

If you write to them, I'm pretty sure they are required to tell you. Plus, you can get free copies of your credit reports as a result.

No loss, though. I had one of their CCs and their customer support was so amazingly inept that I cancelled out of frustration. I've never dealt with a CC company with such pathetic customer support. It makes me mad just thinking about it. I can only imagine how well they handled a massive amount of fraud on their cards. Good thing their support is in India or people would have liked showed up with baseball bats.

Re: They declined me ... (0)

Anonymous Coward | about 3 months ago | (#45924155)

I remember when i usedbe one of the bad guys, i went to an apartment complex and snatched up all of the "does not live here" mail i came across an un-activated target credit/visa. i called the activation number on the card, mashed zero to speak with an operator and told them i was having problems activating my card and i think they might have the wrong social on file. The operator asked me for my correct social(which i made up on the fly while at a had station post phone none the less) and proceeded to activate the card which had a $5000 limit.... Needless say a heroin addict can burn up $5000 pretty fast, and never once did i have to call and reactivate the card due to "irregular spending" needledd to say that this this was overt seven years ago (past the statute of limitations) from what i have seen thasn't done much to beef up security.

Good excuse (4, Interesting)

bob_super (3391281) | about 3 months ago | (#45923511)

My wife may finally understand why I want her to stop giving her data to a million different stores in exchange for a 5% discount or 500 bonus miles.

Re: Good excuse (3, Informative)

Anonymous Coward | about 3 months ago | (#45923585)

Er this isn't about their super bonus target credit card plus or whatever they call it. This is a database they created of everyone who shopped at target and used any form of credit card. You could just have easily ended up on the list by using a bank issued debit card.

Re: Good excuse (1)

bob_super (3391281) | about 3 months ago | (#45924357)

And the UK porn filter is used to quash file-sharing websites, and 9/11 was used to take down Saddam, and...

I'm an evil person, and "you can trust retailers' databases security" is hopefully not going to have a better illustration anytime soon.

At least I'm not conjuring "in this economy" or "think of the children", I'm just carefully wording the truth for her own good.
No oppressed majority will be enabled to regain power and team up with my enemies in the process.

Re:Good excuse (2, Informative)

Anonymous Coward | about 3 months ago | (#45923631)

I don't think you understand. This is pretty much every single credit card used at Target or on target.com over the past few months or year. Or years. They are probably still lying about how many numbers. What pisses me off is that now they've lost names, addresses and a lot of PII data. Fucking Wall Street assholes who don't take security seriously need to be shot.

Re:Good excuse (0)

Anonymous Coward | about 3 months ago | (#45923647)

That made zero difference in this case. You're just bitching to hear yourself bitch.

Bad Math? (4, Interesting)

umdesch4 (3036737) | about 3 months ago | (#45923661)

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Re:Bad Math? (2)

nwf (25607) | about 3 months ago | (#45923869)

The summary says "had increased from 40 million to 70 million", but the title of this post says 110 million. I note that 40 + 70 = 110, so I think somebody parsed it wrong.

Probably the people who wrote the obamacare web site.

Re:Bad Math? (0)

Anonymous Coward | about 3 months ago | (#45923997)

I noticed that right away as well as I skimmed the summary and realized there's no *new* info post or linked to that says anything about 110. Someone added the numbers as if it was 40 million originally and now 70 million more for a total of 110 million, when it clearly states it's increased from 40 million to 70 million

Re:Bad Math? (1)

Anonymous Coward | about 3 months ago | (#45924193)

No.

A Jan. 10 press release admits the number of customers affected by the second-largest corporate data breach in history had increased from 40 million to 70 million

They are (clumsily, I'll admit), stating that the record increased from 40 million to 70 million. The previous record-holder being the 40 million credit cards breached, the new record being the 70 million emails/addresses/etc breached from a different system, totaling: 110 million records. Though there most likely is a ton of overlap so conflating 110 million records with 110 million 'victims' is still kinda dumb.

Fact Is (0)

Anonymous Coward | about 3 months ago | (#45923753)

if you let this kind of thing happen via lax security, your business should be halted, dissolved, and the proceeds divided between the affected people. Full stop. I'm sick and tired of these bourgeosie monsters getting away with everything with nothing except their pride damaged.

Re:Fact Is (2)

jeffb (2.718) (1189693) | about 3 months ago | (#45923859)

And just too bad for the 360K people they employ, nearly none of whom could have known or done anything about this, right?

Re:Fact Is (0)

Anonymous Coward | about 3 months ago | (#45924457)

well, as a prior dabbler of the listed 'arts' , I took great pride in getting all the customers info at ALL jobs i worked at. I also know that there are a LOT of peeps in similar positions in EVERY form of business that do this all the time. You can't really stop it, because the mutherfucker in charge does not want to his job, so he pawns it off on some one under him who gets paid less, so this motivation will always continue.

ITS ALL GREED BASED... CAPITALISM AT ITS FINEST!!!!

FUCK THE MAN, man

Re:Fact Is (1)

mysidia (191772) | about 3 months ago | (#45924139)

if you let this kind of thing happen via lax security, your business should be halted, dissolved, and the proceeds divided between the affected people.

If it didn't happen to the Comodo certificate authority, who had signed a bunch of rogue SSL certificates: when their whole business model is to be a cert provider of reliable verified trust, then it won't happen to Target.

from the ok-this-time-try-20-percent-off dept. (1)

pcwhalen (230935) | about 3 months ago | (#45923829)

That's pretty funny. I really have to read the subtitles under the subject lines on \.

High-sterical. Literal LOL.

Target is the new Kmart (2)

Osgeld (1900440) | about 3 months ago | (#45923851)

Bunch of shit I dont want, one thing I do want they dont have, simple things like brasso

anyway, I bought 1 thing from target cause the reviews were high and it was the only place I could get it local, now I am tied up in this mess

between those two its going to be a cold day in hell before I step foot back in that store

ps where is this free credit monitoring they offered me almost 3 weeks ago?

Wink And A Nod To NSA (0)

Anonymous Coward | about 3 months ago | (#45923923)

Got to give credit where credit is due. :-)

Using reverse-engineered NSA programs means I can "subvert" 110 million US pennies.

That is $1,100,000 at current US dollar currency value on world markets!

Retirement On Easy Street here I come!

Not just December, not just Target (1)

Snotnose (212196) | about 3 months ago | (#45924001)

1) The breach was discovered in December, sounds like it's been going on for months. 2) I'd be very surprised if Target is the only entity that got breached. I keep waiting to hear "Oh, hey, 'member that Target thing? It's now a Walmart, Sears, TJ-Maxx, and Nordstroms thing".

Blame where it is due (0)

Anonymous Coward | about 3 months ago | (#45924007)

Blaming Target for the breach is like blaming the hot chick when she gets raped because she dressed too sexy and "had it coming."

If you leave your front door unlocked and someone burglarizes your house, it is still the burglar's fault the crime happened.

class action (0)

Anonymous Coward | about 3 months ago | (#45924061)

We here in 'murica are big fans of class action lawsuits and 5 dollar gift cards. Can anyone recommend a good law firm to get this started? ..ethanol.fueled

Am I the only person who doesn't care anymore? (4, Interesting)

rjejr (921275) | about 3 months ago | (#45924069)

About 20 years ago somebody behind me at a Detroit gas station had their tank of gas billed to my credit card. A few years ago Sony gave it all away. Next year I'm sure there will be another security breach. And the year after that. And the year after that. I shop in Target every week with my Target credit card, and I will continue to do so. They are going to get you one way or another. Or they aren't. Target obviously screwed up, their security was lax, their investigation is pathetic, their forth coming with the news leaves alot to be desired. But I'm not going to kill myself, cut up all my credit cards and start using cash, or leave the country. I don't blame people for not shopping there anymore, or switching to cash, but I just don't care anymore. This shit happens all the time, every day people have their identity stolens, it sucks, but it's part of everyday life now, no getting around it. Well suppose tehre's the Amish way, but thats just not for me.

Re:Am I the only person who doesn't care anymore? (3, Insightful)

GodfatherofSoul (174979) | about 3 months ago | (#45924151)

I care, but I don't think there's anything I can do about it. Until we stop waiting for the "free market" to come up with a solution and regulate better credit card security, nothing will change. Vendors are just going to roll the dice and hope nothing bad happens. I consider myself very caution and I've had 3 fraudulent uses of my card 3 times already (thankfully the bank didn't charge me).

Re:Am I the only person who doesn't care anymore? (-1)

Anonymous Coward | about 3 months ago | (#45924423)

I know I don't give a fuck. In fact, I welcome it. It will force us to be enumerated permanently. Just like foretold. Quite frankly, I grow sick & tired of this sinful hellhole and just want to get this game over. Bring on the Pain.

o yea..... FUCK SATAN and his little crew of bandits.....

and the rest of you fools who love this world and its ways.....enjoy your penance....

Another 10% discount (0)

Anonymous Coward | about 3 months ago | (#45924405)

Hopefully this weekend

An Obama Dollar Here An Obama Dollar There (-1)

Anonymous Coward | about 3 months ago | (#45924431)

Frantic activity at the White House on 10 January 2014.

Obama received a TOP SECRET briefing from the Director of NSA on the NSA's hack of Target.

Obama: "now juz watz a minute .... yuz sayz we getz a penniz and wez richz?

DNSA: "Youza!"

Obama: "How datz?"

DNSA: 1 penny from each of the 110 million accounts will abdiz upz toz 1.1 millionz dollarz!"

Obama: "Dang! Charge big Whitiez 10 dollar eachz! Nowz wez billionzairz Fouz! Yeh Haz."

Thus in the White House on 10 January 2014 Obama danced a jig of joy in the delight of new found riches.

Ha ha

}:-D

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...