The hack that cost Target and its partners more than $200 million may have caused even more damage than we thought. The New York Times is reporting that the same malware used in the attack also targeted more than a thousand other US businesses, based on a new assessment from the Secret Service. Known as Backoff malware, the attack allows hackers to monitor all the information passing through checkout computers, including customer credit cards. UPS and Supervalu have both announced they were affected by the attacks, but many others have yet to come forward.
It's unclear how many distinct attackers are responsible for the various breaches, but the report underscores the terrible state of security for most point-of-sale payment computers. Attackers typically gained access through "remote access" software designed to let employees work from home, but once they were on the network, spreading the malware was alarmingly easy. Embedded devices like the credit card machines are rarely patched or audited, and they're often accessible from stores' broader computer networks. The Secret Service report recommends a number of overdue remedies, including widespread encryption, two-factor authentication for employees, and active security programs that could monitor the networks for unusual data transmissions like the ones initiated by Backoff.