Massive Target Breach Puts Spotlight On PCI Complexity


Giant discount retailer Target acknowledged a data security breach of its systems, confirming Thursday that as many as 40 million credit and debit cards were exposed during the start of the busy holiday shopping season.

The data security breach took place on the payment systems associated with Target's brick-and-mortar stores, the retailer said in a statement issued Thursday. The thieves had access to the retailer's credit card systems between Nov. 27 and Dec. 15, when Target was made aware of the unauthorized access, the company said in its statement. Target said it has identified and resolved the security lapse that enabled cybercriminals to access the sensitive data.

"We take this matter very seriously and are working with law enforcement to bring those responsible to justice," said Gregg Steinhafel, chairman, president and CEO of Target, in a statement Thursday.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

The massive data breach could rank among one of the biggest retail credit card breaches, say security experts. Solution providers told CRN the data breach is a reminder of the massive lapse at retailer TJX Corp. in 2007, in which cybercriminals targeted weak Wi-Fi points at the retailer's T.J. Max, Marshall's and other brick-and-mortar stores to pilfer millions of credit card numbers. That breach involved the theft of at least 45 million credit card numbers.

Even the most mature security programs often have weak points that can be targeted by cybercriminals, said Michael Aquino, director of cloud services at Chesapeake, Va.-based managed services provider Cetan. Managing system complexity, data flow and processes and working with the people maintaining them is extremely difficult, Aquino said. It's not enough for merchants to simply deploy encryption and maintain compliance with Payment Card Industry Data Security Standards (PCI-DSS), he said.

"You can have encrypted everything, but a breakdown in the process or in your organization will open up security problems and you have a breach," Aquino told CRN.

Merchants gained a valuable lesson from the TJX breach, learning that a large credit card breach for a big retailer is survivable, said Rick Doten, chief information security officer at Digital Management, a Bethesda, Md.-based mobility solutions provider. Many merchants transfer the risk to insurance, Doten said.

"I'm not surprised to see another large credit card breach; they will continue to happen because the impact is not a large one to the business," Doten said. "Being PCI-compliant doesn't make you secure; it only protects you from the lawsuits."

The Target breach was first reported Wednesday afternoon by Krebs On Security, and sources told reporter Brian Krebs that the hackers stole the track data stored on the credit cards. The breach impacts nearly all the physical Target locations in the U.S., the sources said.

Large retailers are constantly on guard for attacks because their networks have multiple access points that need to be monitored, said Steven Ryder, president and owner of True North Networks, an IT consultancy and solution provider based in Keene, N.H.

"Once someone gets in the network, whether it is 40, 400 or 40 million credit cards is irrelevant since once you're in, you're in," Ryder said. "It is why large companies are 'targets' so to speak, because the potential compromised data is so large."

Thieves will continue to strike at massive retailers and credit card processors to make a quick sale of the data on underground forums, said Graham Cluley, a U.K.-based independent security analyst. Cluley told CRN that retailers need to ensure that sensitive payment information is properly segmented from the rest of the network, strongly encrypted and never stored.

"Ensure that all points of your network -- at all the different locations -- are protected by good-quality security software, control the use of USB sticks, and deploy Web security filtering to keep employees safe when they're online," Cluley told CRN. "There are more ways to lose data than via an electronic breach. Misplaced or stolen computers, CDs and USB drives can all be sources of information for criminals."

PUBLISHED DEC. 19, 2013