An important announcement came out today with regard to the recent cyber security scam that afflicted Target customers. A company called “ iSight Partners,” (a global cyber-threat intelligence firm,) worked in tandem with the United States Secret Service and the Department of Homeland Security to investigate the recent security breach. According to iSight, the scam that hit Target during the holiday rush also victimized numerous other retailers and their customers including Neiman Marcus.
Since this security breach is part of an ongoing investigation, there is no doubt that there is more going on behind the scenes than is known by the general public. The following is the limited information and timeline of what has occurred:
On December 27th, Target announced that some Personal Identification Numbers, (PINs,) and accompanying data had been stolen. The security breach was said to have happened between November 27th and December 15th.
On December 31st the public was notified that some holiday gift cards had not been activated.
On January 10th, Target acknowledged that the security breach was bigger than they had previously thought, and it may have affected up to 110 million customers. It was also announced that in addition to PIN information, some email addresses as well as physical home addresses had been stolen.
Also on January 10th, Neiman Marcus announced that it had also suffered a security breach. New data suggests that this breach had occurred as early as July, but the store waited until after the holiday season to make the announcement. The retailer has denied that they knew anything about the scam until January 11th when they “contained the threat.”
On January 13th, the CEO of Target, Greg Steinhafel, issued an open apology and also offered a free credit monitoring service for one year to customers who wished to sign up for the service.
Today’s announcement from iSight has identified the malicious software of this scam, called KAPTOXA. It is believed that KAPTOXA is a spin-off of BlackPOS, software that has malware scripts and was developed in Russia. iSight has seen these codes sold on the black market since June.
This security breach is the largest ever seen for a retailer, topping a theft in 2007 when the data from over 45 million credit cards was stolen from customers of T.J. Maxx and Marshalls stores.
Ever since this security breach happened, the rumor mill has been hard at work. Some people say that the scam was most certainly an inside job, and that this is due to the fact that Target laid off a large quantity of I.T. employees, thereby creating an army of disgruntled former employees who knew how to destroy the company and make money in the process. Others have said that these types of cyber crimes always come from people overseas. Working from a long distance makes it less likely that they will be discovered, and if they live in some countries, they may never be extradited and can avoid any possible punishment. The truth is probably somewhere in between. We know that the software is a newer version of one that came from Russia, but we also know that local employees did have access to confidential information. It is likely that someone who once worked for Target and/or other U.S. retailers sold proprietary information to someone else on the black market, and this buyer was the culprit of the scam.
Retailers who have similar POS systems are encouraged to read the entire report. This report can be procured by contacting the DHS NCCIC Duty Officer at NCCIC@hq.dhs.gov or by calling 888-282-0870. If retailers have any concerns that they may have been victims of a similar attack, they should contact the U.S. Secret Service Field Office/ Electronic Crimes Task Force (ECTF) or the USSS at 877-242-3375. If you are a Target customer, you can find out information about the free credit monitoring service by going to the Target website.
The thought of being robbed is troublesome to all of us, but what is truly terrifying is the prospect of total identity theft. One Target employee realized on December 27th that someone had tapped into his bank account. He later learned that this person had taken on his identity in other ways. He went immediately to his bank and reported it. Surprisingly, the bank saw no parallel between the fact that he worked at Target and that someone had stolen his identity. Instead, they asked him repeatedly about what he does on the internet and where he goes, even suggesting that maybe he can’t trust some of his so-called friends. The victim said, “They started off nice, asking me questions as if they were concerned for me. Then they gradually started getting more negative, and I realized that they suspected me of being part of the scam. I finally said, ‘You think I’m in on this? You think I have someone else holding my money for me?’ They just stared at me, then said something about how they have to explore all avenues. After that I called a lawyer and now I only let them talk to him. Every time I need any amount of money, every time I get a bill, I have to go to the lawyer and ask him to get money for me from the bank. This is the worst thing that has ever happened in my life. People don’t realize it, but when you’re a victim of identity theft, you really do start to feel like you don’t exist anymore.”
If you found this article to be of interest, please click on "+Subscribe" underneath the title of the article to receive free automatic email updates when this writer publishes again.