The law is fundamentally flawed if it does not treat this incident as criminal negligence on the part of Target.
Hackers swiped the names, home and email addresses, phone numbers and other personal information of up to 70 million Target shoppers, the superstore giant admitted today. Evidence of the customer database raid was discovered during an investigation into the attack on Target's payment systems that leaked 40 million credit and …
The law is fundamentally flawed if it does not treat this incident as criminal negligence on the part of Target.
Sadly, what will happen is calls for harsher sentences for "computer crimes", and not similar punishment for those who high up are "criminally" negligent in how their businesses store and protect such sensitive data.
Guess who funds the politicians?
Target funds the politicians?
A likely story.
It says "siphoned unencrypted", which may mean quite a few things, and not necessarily "stored unencrypted".
Start with civil cases in small claims court asking for the maximum that small claims allows. Avoid class action like the plague. Even if the 40 million people only manage to win $100 on average it will be 10% of Target's market cap which should come as quite a stinger to Target, their management and shareholders that this kind of slack behavior won't be tolerated. It will also serve as an ominous warning to other mega-corps to clean up their act regarding personal data security. There is no national security claim so I don't see how the government can grant retroactive immunity in this case. I just hope everybody waits a few days so I have time to get my short options on Target.
Sarbanes-oxley should provide the needed law broken if storing CC information, which target did. i do not think there is any law on the books that can be used to charge for criminal neglect of personal data in this instance. the criminals are the people who did the hacking.
the part that should be prosecuted to the fullest extent as complicit in the crime itself is the people at target who attempted to cover up the crime.
Cloned credit cards are only useful in physical stores, as the CCV2 (the three-digit code on the back) is not required for swiped transactions. The other CCV is part of the same magnetic track that was stolen, but it is useless if your try to buy from Amazon. As credit card companies are required to provide fraud protection, the damage to a customer is minimal. Just check online for odd transactions, call the bank, file a report, and wait. Sometimes it requires a bit more legwork, but for the most part, it's no more than an annoyance. Most banks today recognize that if they shoulder the cost of fraud, they need robust systems on their side to detect fraud. In fact, in some cases it's gotten too good and results in declined swipes because you are traveling or buying something well outside your normal transaction history.
Debit cards are different and more secure. Whoever Target entered into a debit card processing agreement with, they agreed on an encryption standard for the PIN, as that is a "stronger" form of identity validation and probably is protected by law. Target is probably on the hook with the various issuers if they fail to encrypt that information, and Target does with one of the strongest options available in a commercial setting.
In the end, it sucks to change your PINs (just in case) and pay a bit closer attention to your cards. But Kerbs on Security already had a story of smaller banks going out to the credit detail shops online and buying back their customers information. At a cost of $25 are card, it's not cheap, but it's probably cheaper than settling fraudulent charges with merchants and consumers, and it gets you an exact idea of how many accounts were compromised and require reissuing.
"But Kerbs on Security already had a story of smaller banks going out to the credit detail shops online and buying back their customers information. "
Are you saying that the banks buy back the stolen credit card details from the people selling them online? How would they know that the sellers won't keep a copy and just sell them again?
Yes, I am saying exactly that. There are a few posts on his site relating to his conversations with smaller issuers and what they do when there is a breach like this. And they do it not to get it off the market but to get list of the impacted cards.
But while a copy might be kept, they have little value if they don't work. So I'm sure these theives know that some banks buy their customers back, so it ends up being a nice little extortion racket. But even so, the underground market had the books sorted by zip code, since nothing flags a transaction like it being 2,000 miles away just a few hours after the legitimate card holder bought gas by home. Being used in multiple locations even close to home at or near the same time is another simple flag, so they have an incentive to actually only sell a book once. It's no different than merchants of legitimate goods; if you sell crap wares, you don't have a lot of repeat business and eventually you have a lot of product that is going bad fast (and even faster once a breach is reported in the press).
"It says "siphoned unencrypted", which may mean quite a few things, and not necessarily "stored unencrypted"."
In order for it to be siphoned unencrypted, it has to have been DEcrypted at some point. Last I checked, the point of the PCI-DSS rules was to make it so that AT NO POINT does that occur until it reaches the clearinghouse where the data has to be decrypted as a matter of procedure (because they're authorized agents of the credit card companies). The data is supposed to be encrypted at the magstripe reader (like how ATM keypads encrypt at the keypad), using a key provided by the clearinghouse so that it goes from the PIN pad to the register, to the back office, and from there to the clearinghouse without it being altered or decrypted.
"In order for it to be siphoned unencrypted, it has to have been DEcrypted at some point. Last I checked, the point of the PCI-DSS rules was to make it so that AT NO POINT does that occur until it reaches the clearinghouse where the data has to be decrypted as a matter of procedure (because they're authorized agents of the credit card companies). The data is supposed to be encrypted at the magstripe reader (like how ATM keypads encrypt at the keypad), using a key provided by the clearinghouse so that it goes from the PIN pad to the register, to the back office, and from there to the clearinghouse without it being altered or decrypted."
Yeah! BUTT!(misspelled on purpose!) - We have not the full facts on just what happened on this debacle now! - have we? I challenge anyone to show a link where a definitive answer is provided!.
I really wonder if even "Chip 'N Pin will cure this huge breach. Latest news says it is more like 140 + MELLION!!! As the REG is want to say. HA!
"And they do it not to get it off the market but to get list of the impacted cards."
Now that makes sense.
That's a very very interesting and informative post. I would not have suspected the existence of the factors that you've listed. Thank you for posting.
It'll soon be easier to contact the people who weren't in the database. Or Target should just buy a one year blanket fraud insurance coverage for everyone in the US. Probably be cheaper.
...all hackers should be shot dead one - 22 caliber bullet at a time starting with the ankles.
Shoot the messenger? Let me guess, target employee?
"hackers" are lovely; it's "crackers" you might want to target.
If you're reading this site, you should probably know the language. See
Then read backwards to "(TM)" and forwards to "zorkmid".
Google (and whatever dictionary it uses) defines "guest" as
1. a person who is invited to visit someone's home or attend a particular social occasion.
2. a person invited to participate in an official event.
3. a person invited to take part in a radio or television programme or other entertainment.
4. a person staying at a hotel or guest house.
5. a customer at a restaurant.
6. a small invertebrate that lives unharmed within an ants' nest.
So it seems that every person going shopping to Target now is "a person invited to take part in a radio or television programme or other entertainment" and they surely will be if their money get stolen because of Target.
Staff at the US chain will now >>>>>call<<<< and email customers whose contact information was illegally harvested.
Whats that ,a quarter of the US population. I dont think they'll be calling.
In any case, doing so or even announcing they will be doing so, has created a new phishing threat.
"Hi I'm Joe Phisher from Target, I have your details here so you can verify its me, we just need to get your bank PIN so we can update our records..."
"oh yes I recall reading Target were phoning their customers phoning, so it must be you".
"and if you can give me your full bank details I'll be sure you get your $100 as compensation. We just need your banking passcode."
Dumb and dumber.
"Whats that ,a quarter of the US population. I dont think they'll be calling."
Well, 13% assuming 40 million unique cardholders in the database, of 300 million people in the US, and automated calling systems and WATS lines (or whatever the current equivalent is).
My *guess* is that it can be done.
Maybe what might start happening is that credit card issuers and chains such as Target -- the ones aggregating 10s of millions of customers from not just the USA, but all those European, Chinese, and Korean and Japanese and other -- international travelers and students who enter Target while on sojurn, business, or international student visas, or just passing through -- will have to contract representatives of the cc issues ON SITE, in the store, and have them swipe their driver's license or passport or passport card, a debit card, a library card, and one or two other magnetic and verifiable pieces of ID, plus an SSN or EIN or some such number, and re-verify the card holder and any authorized additional family or business holders of the cards on the accounts.
But, for such a scheme to work, Target and the credit card issuers and the banks would all have to lock up accounts and steer people into the big-box stores, or to reciprocally-located store kiosks situated in the banks. Pretty soon, the only way to curb this illegal activity is to base transaction authorization on retina and pulse scans and three-factor authentication of the host/card-account-holder.
Considering that shoplifting costs the US chains and smaller shops in the billions to deal with or recover from shop lifting, and to smoothen over issues with breached accounts, that 8-15 billion could be diverted over a two year period to setting up hardened card issuance and card-holder identity re-certification/reverification.
It might even have an NSA angle to it -- the NSA could redeem itself (wait, yeh, right?) by helping the fraud monitoring companies to consolidate information and use their quantum fu to travel back in time and destroy miscreants BEFORE they commit crime in the as-yet-infected timeline. Maybe the NSA is working on a QTB (Quantum Time Bomb) or PECTIN (Pre-Existence Curtailment Time-Interception Node) antidote to the problem?
Wait, the coffee must be altering my reality-de-distortion spectacles...
It would be interesting if 90% of the affected cardholders would just in-person, in-advance withdraw the needed cash from a bricks-and-mortar bank, then shop, and say to hell with redeeming points potentially gained via their "Valued Shopper Rewards Card Program". The redeemabble points are nowhere near worth the hassle suffered for all the extra work to un-screw their ID theft miseries.
The only positive in this is that it will just scare the bejeezus out of a lot of people and make them pay more attention to their monthly or online statements.
If the NSA used QTLF (Quantum Time Line Fu) on this, the mafias and others involved in these theft activities might end up killing each other off for one of their rivals or clients excessively or greedily dipping into the pot and forcing these beefed-up security measures which will likely damage the illegal profits and gains they would have acquired had the breaches been less newsworthy.
Question: Would YOU cheer on any legislation that said the NSA/GCHQ/et al would commence double-duty on the global hazards of ID theft and e-money pilferage with the only outcomes being curtailment of the continued existence of parties found involved in the ID theft and erosion of trust in the sanctity of commercial transaction processes?
OK, back to my hallucinagenic (misnomer for under-brewed/under-strength) coffee...
Face it till the CTO/CEO does jail time this will simply be part of their "cost of doing business."
I agree with you, but the share holders would be happy to throw a CEO under the bus, or even in prison to stop the "cost of loosing business".
BTW, who the hell permitted them to keep my data? I never signed a EULA or some shit like that. I just walk in and use a card, I never signed anything that said Target can keep my info.
I never signed anything that said Target can keep my info
So did you give it to them or not? Maybe you are not even affected?
The chicken cries are starting to get a bit deafening in here.
Good thing Target has one of the most sophisticated crime labs in the country. They'll have this taken care of in no time, right?
Target and others will get serious about security if customers react by staying away in droves.
That is unlikely so Target will quickly be back to business as usual.
It's up to 110M now in less than 12 hours.
Just figure if you ever gave Target any of your personal info, or if they bought it from someone else for marketing purposes, it was stolen.
Actually, it's called sensational reporting. Some bright bulb in the copy editing room remembered that when you add two numbers together, you get a larger number. The truth is somewhere between 70 and 110 million. The likelihood that there is no overlap between the credit card transaction theft and the customer database theft approaches zero. And given the brand loyalty exhibited by Target shoppers (at least until recently), many of those 40 million who suffered credit card detail theft are also in the Target customer database that was compromised.
Actually no it isn't - Target have confirmed that it was 70 million ADDITIONAL customers and confirmed the total is now 110 million.
The last time I shopped at Tarcunt* I got a six-pack of beer. Cashier didn't just eyeball my drivers license as all other shops do, she read the mag stripe of it, capturing a bunch of personal info (some card companies use you drivers license number as part of the application). That was the last time I bought beer there, and this just clinched the deal.
* Sorry, must be my accent.
Unfortunately for Target, their TM'd logo might feel like:
-- A bullseye
-- A testament
The unfortunate testament would be that the attackers were "right on target" on Target. For the initial breach to not be detected for weeks or months and only be uncovered on another, subsequent audit means -- for the attackers -- a scored bullseye. Fortunately, for Target, their logo does not have score numbers on the rings.
Ring Ring... Cash may be restored as King. Plastic swipability a severe liability
No chance of cash making a comeback.
The US population have been scared shitless of being classed as a terrorist, the FBI claim that peaceful citizens do NOT pay for things with cash, doing so fits the profile of terrorist intent.
This sounds too surreal to be true. Or maybe not. You got a source for that?
I don't think we are there yet, but there is definitely a War on Cash afoot and you can bet on what a Progressive Loves Most that it will only intensify.
Just do a search for "FBI cash is terrorist"
The sooner the principle that 'identity' can be somewhat stolen so easily is extinguished, the better.
Those silly 'memorable' questions etc. mean I could probably get the password reset on accounts of many people I know, and half the population of my village.
If some company erroneously gives things to someone else thinking that it is me, how the hell should it be my problem?
'Mitchell and Webb' put it far better than I could: http://www.youtube.com/watch?v=CS9ptA3Ya9E
Unencrypted! Surely credit card companies require card details to be encrypted.
That's what I was thinking, based on PCI-DSS rules. From the PIN Pad, the card number should be encrypted by a key provided by the clearinghouse so that no one in between can intercept it. Unless Target is ITSELF a clearinghouse.
This is what happens when you go cheap on your IT and your company is run by teh stupid.
"Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards".
Seems being an American company gives them a free pass. They misreported the scale of the hack and then dripfed an ammendment that gets footnotes in the press.
The scale seems onpar or slightly worse than the Sony hack, but whereas Sony were brutally honest, and when they didn't have information, painted a worst case picture, for which the press destroyed them, target have lied and got a free pass.
American companies getting free passes from the mostly american press. Japanese companies are not so lucky..
Oh sure, I remember Sony as a paragon of virtue, always fully disclosing its issues and never trying to stab its customers in the back. Oh wait . . . no it hasn't ever been that.
Sony is a powerhouse of paranoid executives who consider every customer as a potential thief and will respect no limit in nailing customers to a post to bleed them dry. HDMI is entirely geared to do just that, as there is nothing HDMI can do that a CAT-6 Ethernet cable can't - except limit user rights, of course.
If Sony was a bit more forthcoming about its infamous PS Network outage, it's because you can't really punt in a corner the fact that you are shutting down the whole thing because your security was abysmally stupid. No "only affects a few customers" this time.
The timeline is clear. The intrusion happened starting April 17th, but it was only on April 20th that Sony said anything about it. At that time, the solution was supposed to be a day or two away. Of course, Sony had shut down the network, so it had to state some facts, distasteful as that may be.
You probably don't remember, but there was a veritable hurricane of outrage hitting Sony's Twitter account at the time. Sony was being ridiculed left and right, and PlayStation owners were incandescant with rage.
So yeah, Sony might have been rather honest on that one, but with over 20 million angry customers and a downed network, what choice did it have ?
It's not like the rootkit issue, where Sony blithly denied everything until a class action was instigated, or the DRM backpedalling on the PS4, where Sony tried to pass the notion that there wouldn't be any but an alert Joe Public soon found out that there was.
That is Sony's usual behavior : sneak the bad stuff under the radar and deny it until millions of angry people are knocking down the doors.
On that subject, Sony is certainly not the only company to adopt that attitude.
Nevertheless, the only thing brutal with Sony is its total disregard for consumer rights and privacy.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds