2013 December 19, Reston, VA – IT Security Firm SAVANTURE Breach Analysis

Target has confirmed that unauthorized access to Target payment card data for credit or debit cards used for purchases in U.S. stores (Canada was not impacted) from Nov. 27 to Dec. 15, 2013. The breach resulted in a compromise allowing hackers to continuously access consumer information including customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).

This specific information is regulated by a consortium of credit card vendors to include VISA, MasterCard, and American Express. The standard referred to as the Payment Card Industry (PCI) regulation, which Target and any company that processes credit cards is obliged to adhere to in order to protect consumers information. While no standard can provide total protection even when followed explicitly, the PCI standard is widely regarded as one of the better approaches in protecting consumer credit card information, especially at its highest requirements, the most stringent level, where the largest credit card volume retailers such as Target are classified. The standard provides for protection of credit card information at rest (stored) and in transit (as it is processed from the Point of Sale through the credit card processor).

Target has taken action and utilizing internal resources and external third-party firms is conducting an investigation of the incident and to examine additional measures it can take to help prevent future compromises from occurring. Per regulatory requirements and good business practices, Target alerted authorities and financial institutions immediately after confirming the unauthorized access.

For the Target Customer. Target has released the following:

    “We recommend that you closely review the information provided in this letter for some steps that you may take to protect yourself against potential misuse of your credit and debit information. You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports. If you discover any suspicious or unusual activity on your accounts or suspect fraud, be sure to report it immediately to your financial institutions. In addition, you may contact the Federal Trade Commission (“FTC”) or law enforcement to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. To learn more, you can go to the FTC’s Web site, at www.consumer.gov/idtheft, or call the FTC, at (877) IDTHEFT (438-4338) or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

    You may also periodically obtain credit reports from each nationwide credit reporting agency. If you discover information on your credit report arising from a fraudulent transaction, you should request that the credit reporting agency delete that information from your credit report file. In addition, under federal law, you are entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting agencies. You may obtain a free copy of your credit report by going to www.AnnualCreditReport.com or by calling (877) 322-8228.”

Full details of Target’s communications on the situation can be found here: https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

In the event of Personally Identifiable Information (PII) being compromised, it is fairly typical in these scenarios for the compromised entity to pay for credit monitoring for the consumer. When only specific credit card information is compromised, the support from the compromised entity varies widely.

For the Enterprise and Businesses.

Unfortunately these types of compromises have become commonplace and will continue to occur on more frequency as the broader population continues to grow and cashless transactions continue to increase. In this case because there seems to be a system wide impact to US stores it’s easy to assert that core systems were compromised and not a single store as we have often seen in the past. It’s also apparent that while PCI is one tool which should be incorporated into your overall transaction processing protection schema, a business’s regulatory compliance does not assure that customer PII or credit card information will not be compromised. It’s important to recognize that breaches such as this can cost a business’s millions in the terms of Reputation, Revenues and Regulatory fines.
It is essential for a business to take proactive measures to protect customer information in their custody, including knowing:

    o what confidential personal information is being collected
    o how that confidential personal information is stored, managed, distributed and destroyed
    o whether or not your current practices conform to applicable laws, regulations, policies
    o what are actionable steps you can take to reduce those potential risks.
    o what policies, standards, best practices, website privacy statements, etc. are needed
    o that your networks and systems are monitored on a 7x24x365 basis for evidence of anomalies that could indicate a breach or loss of confidential personal information.
    o do you have a culture of compliance that you to leverage security and privacy as a competitive differentiator for your business.

SAVANTURE stands ready to help you address these issues as a trusted partner. Please contact us to learn more.

Reference Links:

More information will be updated on this link as the situation evolves.