Actually Two Attacks In One, Target Breach Affected 70 To 110 Million Customers

Posted: Jan 17 2014, 10:51pm CST | by , in News

Actually Two Attacks In One, Target Breach Affected 70 to 110 Million Customers
Photo Credit: Forbes

The latest reports from Reuters indicate that six additional large U.S. retailers have ongoing point of sale (POS) data breaches that have been reported to law enforcement but not yet made public. Security firm iSIGHT Partners has announced that it has been working with the U.S. Secret Service and has discovered that the same type of malware that infected Target (a variant of the previously reported BlackPOS) called KAPTOXA (a Russian term pronounced Kar-Toe-Sha) is likely involved in these new attacks. This information has been jointly published by iSight, USSS, the Department of Homeland Security and the Financial Services Information Sharing and Analysis Center.

If these attacks follow the pattern of the Target breach, they are really two attacks in one. Target’s own communication on this has been muddled and many consumers are confused by the dual reports that, “Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013,” and that, “Up to 70 million individuals may be affected… by the additional stolen information.”

Hold on, run that by me again. Are those 40 million cardholders a subset of the 70 million “additional stolen information” customers? Or is this 4o million PLUS 70 million? Target isn’t quite saying. A report today from Forbes’ Clare O’Connor indicates that this additional data goes back as long as ten years. And Teresa Dixon Murray of The Plain Dealer writes of a customer who was told by a Target customer service rep that, “We had a system glitch and everyone who ever shopped with us going back a long time and we had their email address in the system got the latest email.” In other words, Target doesn’t know which end is up!

From O’Connor’s experience we know that even people who had not shopped at Target during the period of BlackPOS infection (or even in the last decade!) are potentially part of that 70 million. So it is safe to say that the actual number of affected customers is somewhere between 70 and 110 million. Many of the people receiving emails from Target are miffed about why they got them but some who shopped there during the period in question, like The Plain Dealer’s Dixon Murray, still haven’t received any notification from the retailer.

As I wrote at the time of the initial announcement, Target’s lack of clarity has been its biggest PR mistake. The company’s FAQ about the breach doesn’t make clear at the beginning that there were two different types of information that were compromised with radically different time frames. Even the ordering of the entries in the FAQ obscures the narrative. The mention of “additional stolen information” nonsensically comes before the mention of “40 million credit and debit card accounts.” A small matter of linguistics, perhaps, but still, Aaargh!

And then there is Neiman Marcus, and the purported six additional large retailers who may also have experienced this one-two punch of check out card swipe scraping and wholesale database hoovering. I expect the identity of these companies to emerge in the coming days. Let’s hope these other retailers learn from Target’s travails.

– – – – – – – – – – – – – – – – – – – –

To keep up with Quantum of Content, please subscribe to my updates on Facebook, follow me on Twitter and or add me on Google+.

10 Incredibly Simple Things You Can Do To Protect Your Privacy

Source: Forbes

This story may contain affiliate links.


Find rare products online! Get the free Tracker App now.

Download the free Tracker app now to get in-stock alerts on Pomsies, Oculus Go, SNES Classic and more.

Latest News


The Author

Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.




comments powered by Disqus