The latest reports from title="reuters on target data breach">Reuters indicate that six additional large U.S. retailers have ongoing point of sale (POS) data breaches that have been reported to law enforcement but not yet made public. Security firm iSIGHT Partners has announced that it has been working with the U.S. Secret Service and has discovered that the same type of malware that infected Target (a variant of the previously reported BlackPOS) called KAPTOXA (a Russian term pronounced Kar-Toe-Sha) is likely involved in these new attacks. This information has been jointly published by iSight, USSS, the Department of Homeland Security and the Financial Services Information Sharing and Analysis Center.
If these attacks follow the pattern of the Target breach, they are really two attacks in one. Target’s own communication on this has been muddled and many consumers are confused by the dual reports that, “Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013,” and that, “Up to 70 million individuals may be affected… by the additional stolen information.”
Hold on, run that by me again. Are those 40 million cardholders a subset of the 70 million “additional stolen information” customers? Or is this 4o million PLUS 70 million? Target isn’t quite saying. A report today from Forbes’ Clare O’Connor indicates that this additional data goes back as long as ten years. And Teresa Dixon Murray of The Plain Dealer writes of a customer who was told by a Target customer service rep that, “We had a system glitch and everyone who ever shopped with us going back a long time and we had their email address in the system got the latest email.” In other words, Target doesn’t know which end is up!
From O’Connor’s experience we know that even people who had not shopped at Target during the period of BlackPOS infection (or even in the last decade!) are potentially part of that 70 million. So it is safe to say that the actual number of affected customers is somewhere between 70 and 110 million. Many of the people receiving emails from Target are miffed about why they got them but some who shopped there during the period in question, like The Plain Dealer’s Dixon Murray, still haven’t received any notification from the retailer.
As I wrote at the time of the initial announcement, Target’s lack of clarity has been its biggest PR mistake. The company’s FAQ about the breach doesn’t make clear at the beginning that there were two different types of information that were compromised with radically different time frames. Even the ordering of the entries in the FAQ obscures the narrative. The mention of “additional stolen information” nonsensically comes before the mention of “40 million credit and debit card accounts.” A small matter of linguistics, perhaps, but still, Aaargh!
And then there is Neiman Marcus, and the purported six additional large retailers who may also have experienced this one-two punch of check out card swipe scraping and wholesale database hoovering. I expect the identity of these companies to emerge in the coming days. Let’s hope these other retailers learn from Target’s travails.
– – – – – – – – – – – – – – – – – – – –