It couldn’t have happened at a worse time for a retailer. Target informed shoppers that if they charged an item at Target stores between Nov. 27 and Dec. 15, their credit and debit card accounts may have been compromised—as much as 40 million cards in all.
While online shoppers typically have been the victims, this time hackers went through the physical checkout systems inside every Target store—about 2,000 stores, 1,797 in the United States and 124 in Canada. It’s possible that every shopper who swiped a credit card or entered a pin number at the point of sale had their information stolen.
Barbara Endicott-Popovsky, director of the Center for Information Assurance and Cybersecurity at the University of Washington told TIME Magazine that hacking “is a business. The general public would be shocked and amazed by the size of the problem.”
She added, “People who run companies are not aware that they’ve actually become software companies. We’re headed toward the internet of things, where we have embedded software in every product. What we’ve done is open up a whole host of vulnerabilities.”
In the past, criminals wishing to steal credit card numbers and PIN codes had to do so by placing a thin pad over an ATM key pad. Through this they had to capture both the credit card number as it was swiped as well as the PIN typed into the keypad, according to Business Insider. With this information they could create fake cards from blank cards with magnetic strips that can be used in ATMs. These hackers also must have a presence at the ATM to install the pad and later to remove it to retrieve the numbers Business Insider said. Because they could only get information from a few hundred cards a day, one machine at a time, hackers using this method have been limited.
Time reported that in a case such as this, strategies used to infiltrate a point-of-sale system can be similar to those used on other pieces of software. A piece of malware called Dexter, used to infiltrate point-of-sale programs, may have infected Target’s network. It is also thought to have been responsible for widespread credit card theft at fast food restaurants in South Africa this year.
To introduce Dexter to Target’s system, an employee could have purposefully left a backdoor open for hackers, Time said, or could have clicked a link unknowingly, allowing an entry point for the malware or other malicious code. It’s also possible the company’s wireless network was compromised.
Information reported stolen from Target customers includes names, credit or debit card numbers, card expiration dates and the three-digit security code, known as the CVV on the back of cards, USA Today reported. Target spokesman Eric Hausman, however, confirmed there is “no indication that debit card PINs were impacted.” Access to PIN numbers would allow the thieves to use stolen account data to withdraw cash from ATMs.
Time surmised that because of the scope and the timing of the Target theft—during the busiest shopping season—the hack was most likely done by organized cybercriminals. They would have had to plan for it well in advance and probably will sell the data for a few dollars per card. CNN said today that there is evidence the stolen information is already being sold and that the hackers most likely came from abroad where there is almost no penalty or access to the criminals by the FBI.
Andy Obuchowski, a director for security and privacy at consulting company McGladrey told USA Today that Target’s breach is the latest in a growing problem for retailers. The issue has increased as more companies outsource writing and maintaining software, he said.
In 2007, hackers accessed TJ Maxx’s central database and stole account information for more than 45 million credit cards by intercepting data as it traveled between hand-held price scanners and cash registers. Data breaches in recent years have also included Michael’s, Stop & Shop, Barnes and Noble, Aldi and Subway.
“This sort of hacking is absolutely on the rise, as the tools are more readily available for even novice hackers to utilize in their efforts to crack open companies’ computer systems,” Adam Levin, chairman of Identity Theft 911 and Credit.com told USA Today. “With a data breach of this type, the rewards — your money — are so great that it can only continue to increase.”
Target said in a statement that it alerted authorities and financial institutions immediately after it was made aware of the unauthorized access. As well as putting the appropriate resources behind these efforts, the retailer said it is partnering with a leading third-party forensics firm to conduct a thorough investigation.