Target provides update on breach

As part of as ongoing forensic investigation, the US retail giant said it has determined that certain customer information – separate from the payment card data previously disclosed – was taken during the data breach.

Uncovered as part of the ongoing investigation, this theft means the investigation has now determined that the stolen information included names, mailing addresses, phone numbers or email addresses for up to 70 million individuals. 

While it added that much of this data is partial in nature, in cases where Target has an email address, the company said it would attempt to contact affected customers. Assuring guests of zero liability for the cost of any fraudulent charges arising from the breach, it is also offering customers three months to enrol for one year of free credit monitoring and identity theft protection to anyone who shopped its US stores.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer of Target in a statement.

It remains to be publicly disclosed how hackers breached Target’s cyber defences to install malware on electronic point-of-sale (PoS) terminals that harvested up to 40 million payment card details. But security experts have commented that the malware was coded in an adaptive and persistent way, storing the stolen data on an infected Target server until the criminals accessed it.

Jason Hart, vice president cloud solutions at encryption specialist SafeNet, commented that the latest revelations about the Target data breach should serve as another wake up call to the industry. “This means reviewing the way in which data is being processed and transmitted by conducting a risk assessment to see if high value data requires encryption in transit as well as at rest,” he said. 

 

Hart added: “While the payment information taken in the Target breach was encrypted, immediately reducing the impact of the breach, it is clear that data cannot be encrypted in isolation. Right now, companies encrypt to be compliant with numerous data breach regulations, such as PCI DSS [Payment Card Industry Data Security Standard].” 

“However, as with most compliance regulations, PCI-DSS only mandates a lowest common denominator-level of security and more protection is required,” he continued. “Organisations now need to move beyond basic regulations and ensure that they are securing data throughout its whole lifecycle. This means securing data at the application layer (such as point-of-sale terminals), while it is in transit or motion, and when it is stored.”

 

With hacking attempts becoming almost a daily occurrence, Hart also warned it is clear that being breached is not a question of ‘if’ but ‘when’. So companies need to ensure they are taking the necessary precautions. “This means using best practice data protection – authentication, encryption and key management – to guarantee that data is effectively useless when it falls into unauthorised hands.

 

“One of the most common mistakes that organisations make is storing the encryption key in an insecure manner, thus exposing sensitive information to significant risk. Therefore, only those companies that encrypt all valuable data and apply tamperproof and robust controls to the management of the keys, can be safe in the knowledge that their data is protected whether or not a security breach occurs.”

Tweets by RetailTechUK