Target tested by holiday credit card data breach
By: Rodd Zolkos And Bill Kenealy (Business Insurance) January 2014
The Target Corp. data breach that exposed 40 million shoppers’ debit and credit card account information has caused lawsuits, state and federal investigations and potential company reputation damage, while raising fresh concerns among other businesses about the worsening risk of cyber attacks.
The data breach is being called the second-largest in U.S. retail history, behind a 2007 breach at TJX Cos. Inc. in which cyber criminals collected personal information from more than 90 million credit cards over more than a year.
Target first acknowledged its breach on Dec. 19, and revealed on Dec. 27 that its forensic investigation had found that the information hackers collected from Nov. 27 to Dec. 15 included card users’ encrypted PIN data embedded in their cards. The breach occurred during the annual Christmas shopping season, the busiest retailing period of the year.
While the Minneapolis-based retailer released few specifics about the nature of the data breach, many experts say it appears to have involved malicious software that collected shoppers’ data as they swiped cards at checkout keypads to pay for purchases in Target stores.
“If that’s the case, this is a very sophisticated kind of attack,” said Jon Neiditz, a partner at law firm Kilpatrick Townsend & Stockton L.L.P. in Atlanta, whose practice focuses on big data, privacy and information security. “The big risk management issue to me for all of the retail companies I work with and hospitality companies and others that have point-of-sale systems is: was this very sophisticated malware that involved point-of-sale systems and what lessons are there for other point-of-sale systems.”
