Target hacked: news and updates on the massive retail breach that affected millions

In a big milestone for banks hoping to make Target pay for a massive data breach, a judge on Tuesday certified a class-action lawsuit against the retailer. The judge ruled that the banks will now be able to pursue their lawsuit against Target as a group, which, as Reuters reports, makes a settlement more likely.

Last month, Target settled a case individually with financial institutions issuing Visa cards, although Reuters reports that it's unclear how many have already taken that settlement, and thus would not be qualified for a settlement from this lawsuit. Earlier this year, another settlement with Mastercard fell through.

Target has agreed to pay $10 million to people affected by the breach of its systems in 2013 that saw 40 million credit and debit card numbers stolen. According to court documents, the retailer's proposed settlement — which has yet to be approved by a federal judge — could pay individuals up to $10,000 in compensation. A court hearing to approve the proposal is scheduled for Thursday.

Home Depot could be the latest major company to have customer credit card data siphoned off and sold online. Security researcher Brian Krebs writes that multiple banks have said the chain might be the source of a batch of credit and debit cards currently being sold in an online black market. "I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," said Home Depot spokesperson Paula Drake in a statement to Krebs, saying that it was too early to tell whether there had in fact been a breach.

Krebs believes a Home Depot hack could have been carried out by the same people responsible for the attack on Target, which netted hackers information on 40 million credit and debit accounts along with other customer information. He suggests, however, that it might be larger in scope. The breach reportedly could affect all of Home Depot's 2,200 US retail stores, and some banks have said that it could date back to April or May of this year. Target's payment systems, by contrast, were compromised by malware for around three weeks between late November and mid-December of 2013; Target has about 1,800 US branches.

The hack that cost Target and its partners more than $200 million may have caused even more damage than we thought. The New York Times is reporting that the same malware used in the attack also targeted more than a thousand other US businesses, based on a new assessment from the Secret Service. Known as Backoff malware, the attack allows hackers to monitor all the information passing through checkout computers, including customer credit cards. UPS and Supervalu have both announced they were affected by the attacks, but many others have yet to come forward.

It's unclear how many distinct attackers are responsible for the various breaches, but the report underscores the terrible state of security for most point-of-sale payment computers. Attackers typically gained access through "remote access" software designed to let employees work from home, but once they were on the network, spreading the malware was alarmingly easy. Embedded devices like the credit card machines are rarely patched or audited, and they're often accessible from stores' broader computer networks. The Secret Service report recommends a number of overdue remedies, including widespread encryption, two-factor authentication for employees, and active security programs that could monitor the networks for unusual data transmissions like the ones initiated by Backoff.

Five months after a data breach that compromised credit card data for 40 million customers, Target CEO Gregg Steinhafel has agreed to step down from his position running the retail giant. Steinhafel is also stepping down from his positions as president and chairman, and giving up his seat on the board of the company. Chief Financial Officer John Mulligan is expected to take over as president until a successor can be found. In March, the company's chief technology officer resigned over the breach.

The security breach that compromised 40 million credit card numbers and data of 70 million Target customers last December could end up a part of a cybercrime film produced by Sony and based on security researcher Brian Krebs who broke the story. According to The Hollywood Reporter, Sony's purchased the rights to "Reporting From the Web’s Underbelly," a profile on Krebs published last month in The New York Times.

In the wake of a December security breach that put up to 40 million credit card numbers and 70 million more pieces of customer contact information in the hands of hackers, Target has been doing damage control. It's installed new credit card security systems, and its chief operating officer resigned in early March. But according to a report from Bloomberg Businessweek, the company's state-of-the-art security system detected the hack as soon as it started — and did nothing. Instead, it took two weeks and a warning from federal investigators to plug the hole.

Target's head of technology handed in her resignation today, months after the company suffered one of the largest data breaches in retail history. Beth Jacob, who has served as Target's chief information officer and executive vice president of technology services since 2008, is vacating both positions and departing the company immediately. According to CEO Gregg Steinhafel, the retailer has already launched a search for an interim CIO to help steer Target through a major security overhaul. "While we are still in the process of an ongoing investigation, we recognize that the information security environment is evolving rapidly," Steinhafel said.

The sophisticated attack was launched during the popular Black Friday shopping weekend and stretched on for three weeks. Hackers made their way into Target's computer systems by using stolen credentials from a refrigeration contractor. By the time the company became wise to the breach, perpetrators had already stolen data on 40 million credit and debit card accounts. Target later revealed that other information (addresses, phone numbers, etc.) on up to 70 million shoppers was also compromised. A federal investigation remains ongoing. In her resignation letter — which does not mention the disastrous incident — Jacob says choosing to leave Target was a "difficult decision." Last week, Target reported $61 million in costs related to the breach, though the bulk of that damage was covered by the retailer's insurance.

Last year's cyberattack on US retail giant Target in which up to 40 million credit cards were compromised and up to 70 million names, email addresses, and phone numbers were stolen — has cost banks and credit unions more than $200 million.

The Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA) have replaced 21.8 million cards, more than half of those compromised in the attack. The cost to CBA member banks has now reached $172 million, while credit unions have spent $30.6 million. Both figures have increased from original estimates of $153 million and $25 million respectively, and still don't take into account the cost of replacing cards for financial institutions that are not members of the Consumer Bankers Association or Credit Union National Association.

Target's security staff may have been aware of vulnerabilities in the retailer's systems months before a massive breach compromised data on millions of shoppers. The Wall Street Journal reports that at least one internal analyst had called for a thorough review of the defenses around Target's payment terminals, which were later infiltrated during the sophisticated attack. That request was initially "brushed off" according to the Journal. It's unclear if a review was eventually granted before hackers made off with 40 million debit and credit card numbers — and a wealth of other customer information. The specific nature of those concerns are also unknown, the Journal says, so any vulnerabilities exploited by the hackers may have still been in place even after the requested review.

Target maintains an "extensive" cybersecurity intelligence team, according to a former employee who spoke with the Journal. US retailers reportedly deal with many threats each week, and their security teams face the difficult task of prioritizing some of those threats over others. Earlier this month, it was revealed that the Target hackers managed to sneak their way into the company's systems by stealing credentials from a contractor. From there, they planted malicious code targeting the retailer's payment terminals. In the wake of the attack, some Target customers have been hit with fraudulent charges, forcing banks to replace millions of credit and debit cards. An investigation to find those responsible remains ongoing. Be sure to keep up with our StoryStream to get all the latest on the Target situation.

Customers might have to be worried about another range of companies thanks to the Target credit card security breach. The retailer reported that the initial intrusion into its network was traced back to credentials stolen from Fazio Mechanical Services, a refrigeration, heating, and air conditioning company hired by Target. Hackers used the stolen credentials between November 15th and November 28th to upload card-stealing malware to many of Target's cash registers, and within a month, completely infiltrate the system.

However, that does not explain why the retailer's maintenance network led the hackers to its payment network. It's possible that Target had the maintenance and payment networks connected, making it easy for hackers to access one from the other. But Krebs alluded to an even more unsettling scenario — the networks could have been separated from the start, but the hackers found a way to connect them.

Target says it's accelerating a program that will update its retail stores with technology designed to thwart credit card fraud. In an op-ed in The Hill, Target chief financial officer John Mulligan says the company is moving up its goal to utilize chip-enabled smart cards, and now plans to have them in stores by early 2015, which is six months earlier than originally planned. Those cards encrypt point of sale data, rendering the credit card number less useful if stolen. Mulligan notes that the smart cards have not taken off in the US, but have resulted in lower card number theft in other countries, notably Canada and the United Kingdom.

During a US Senate hearing on Tuesday, US Attorney General Eric Holder again confirmed that the Department of Justice is investigating the massive Target hack. "While we generally do not discuss specific matters under investigation, I can confirm the Department is investigating the breach involving the US retailer, Target," Holder said. But the DoJ's search isn't limited to the perpetrators. Holder's testimony included a stern warning for anyone using the stolen customer information for illegal purposes. "We are committed to working to find not only the perpetrators of these sorts of data breaches. but also any individuals and groups who exploit that data via credit card fraud."

Target has said data on roughly 40 million credit and debit cards was lifted during the breach. Hackers managed to infect Target’s retail registers with malware that stole the financial info. 70 million other records containing sensitive customer information like mailing addresses and phone numbers were also stolen in the massive attack. Other retailers have reported similar breaches, and the FBI has warned companies that these sophisticated hacks are likely to continue. To help reduce that threat, the US government has privately shared some methods used by Target's hackers with other major US merchants. "We also will continue enforcing essential privacy protections and other safeguards concerning data possessed by government as well as the private sector," Holder said.

The security breach that impacted 70 million Target customers last month may have been caused by malware created by a 17-year-old Russian hacker. While the suspected teenager wasn't actually responsible for perpetrating the attacks, he did reportedly write the software, known as BlackPOS, that was used after being purchased by the eventual attackers. The news comes courtesy of "multi-tier intelligence aggregator" IntelCrawler, which reports that the malware used during the Target breach "may have" also been a part of a similar attack on retailer Neiman Marcus.

"Most of the victims are department stores," says IntelCrawler CEO Andrew Komarov. "More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them." According to the company, the very first sample of the malware was created last March, and the first infected point-of-sales systems were in the United States, Australia, and Canada. In the wake of the massive Target attack, this week the US government sent a document to major retailers outlining just how the retailer's point-of-sale systems were breached, noting that the malware was written partly in Russian by someone with "a high degree of skill."

The United States government has sent a confidential, 16-page document to major retailers that outlines how hackers infiltrated Target's data systems late last year and made off with sensitive information belonging to over 70 million customers. As the investigation into that breach continues, the government is sharing some of what it's learned so far. According to CNBC, the report reveals that the malware which infected Target was "partly written in Russian" and that the perpetrators "displayed innovation" and "a high degree of skill."

The bulletin tells merchants how they can identify the methods and malicious software used in the attack, Reuters says, which Target's anti-virus tools ultimately failed to pick up on. Little else is known about what the document contains, though it's length suggests the Secret Service and Justice Department are making some headway in their investigation of the incident. Of course, the biggest challenge of all is finding those responsible; no arrests linked to the breach have been publicly reported.

US retailer Target will offer testimony next month in a congressional hearing focused on data breaches. The Commerce, Manufacturing, and Trade Subcommittee hearing is scheduled for the first week of February and comes in the aftermath of a massive and sophisticated hack against Target that compromised the information of "approximately 110 million customers." The company initially believed the damage was limited to financial data, but earlier this month Target revealed that names, mailing addresses, and email addresses for up to 70 million shoppers were also among the stolen information.

It's unclear how much new information Target will share during testimony; an investigation on the breach remains ongoing with involvement from the US Secret Service and Department of Justice. But subcommittee chairman Lee Terry is hopeful that the session will prove useful. “Tens of millions of Americans have had their information compromised in recent weeks, and consumers deserve to know what information has been taken and the potential threats that exist," he said. "By examining these recent breaches and their consequences on consumers, we hope to gain a better understanding of the nature of these crimes and what steps can be taken to further protect information and limit cyber threats."

Following last month's news that 40 million debit and credit card numbers were stolen in a hack, Target today disclosed that a huge number of personal details have also been compromised. The retailer says up to 70 million names, mailing addresses, phone numbers or email addresses were stolen as part of last November's hack.

The company says the stolen data is "partial in nature," and it will attempt to contact everyone whose email address has been compromised to warn them of the dangers of scam emails that could be on their way. Target CEO Gregg Steinhafel notes the company is "truly sorry" its customers are having to "endure" the effects of the hack, and announced a company-wide policy that he hopes will soften the blow.

Target has confirmed that encrypted debit card PIN data was stolen as part of the massive hack carried out against the retailer between late November and early December. The company previously admitted that card numbers and expiration dates were compromised in the attack that affected 40 million customers. That data has already started appearing on the black market, which in turn has put financial institutions across the US on high alert as banks look to protect customers from fraudulent activity.

Target says it remains confident that identification numbers are "safe and secure" thanks to the Triple DES encryption it uses to protect sensitive data. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement. When you make a debit purchase at one of Target's stores, your card information is "encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the retailer says. "What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident." To underline that point, Target closes its latest update on the incident by saying, "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

The theft of credit and debit card information for as many as 40 million Target customers, first reported by independent journalist Brian Krebs, is prompting banks to take action.

With Target already reeling from a massive hack that left up to 40 million credit and debit cards compromised, The New York Times now reports that all that data has been pouring into the black market since the break-in. With the breach taking place between Black Friday and December 15th, criminals on hundreds of illicit card-selling markets have likely had access to consumer information for weeks to date.