Retail giant Target became the target of a data breach that potentially involved 40 million customer credit and debit card records.
The retailer isn’t saying how the breach happened, but Avivah Litan, a security analyst with Gartner Research, has a strong opinion. She told The Associated Press that given the millions of dollars Target spends on security each year, she believes the breach may have been an “inside job.”
Various mainstream media sources reported the story late Wednesday after the Secret Service confirmed it was investigating the breach. Security researcher Brian Krebs broke the story days earlier, accurately reporting Target was investigating a breach that started at brick-and-mortar stores on Black Friday, the busiest shopping day of the year, and continued through Dec. 15. Online orders were not affected.
Krebs reported that thieves gained access to data on the magnetic strips of shoppers’ cards, potentially allowing them to produce counterfeit versions. If thieves had been able to intercept PIN data, they could potentially withdraw cash from ATMs using counterfeit debit cards.
In a release from Target this morning confirming the breach, PIN data was not among the list of information compromised. The company reports data involved in the incident include customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).
Target also published a list of recommended steps for consumers who made a debit or credit card at any U.S. Target store between Nov. 27 and Dec. 15.
For information about ways to secure your servers against a data breach, read about our Technical Security services.
If you’re confused about how to meet technical security requirements of PCI DSS compliance (Payment Card Industry Data Security Standards), read our PCI Compliant Hosting white paper. It discusses the impact of the PCI DSS standard on data centers and server infrastructure, describes the architecture of a PCI compliant data center both technically and contractually, and outlines the benefits and risks of data center outsourcing, and vendor selection criteria.
KrebsOnSecurity.com: Sources: Target investigating Data Breach
Target press release: Target confirms unauthorized access to payment card data in U.S. stores