ABC reports on data breach of Target and Neiman Marcus notifies its customers of its own data breach

January 13, 2014 |

The ABC radio program, AM, reports in Huge hack of consumer data in the USA on  a massive data breach involving Target over the Christmas period.

It provides:

TIM PALMER: It’s been described as the worst security breach of personal data in history and we may not yet know the full extent of it.

US retailer Target revealed over the weekend that the details of tens of millions more customers than first thought have been stolen in a massive hacking scandal, and now the upscale retailer Neiman Marcus says it’s been hacked too.

Security experts say it may have been an orchestrated fraud over the holiday season and other companies are yet to discover they were targeted as well.

They blame antiquated technology used in the US and say until it changes, companies and their customers will face continuing security threats.

North America correspondent Lisa Millar reports.

LISA MILLAR: Target is the third largest retailer in the US but right now it’s got the biggest headache.

(Extract from Christmas advertisement from Target)

Its Christmas ads told customers to expect more and pay less but now Target is having to tell those same customers far more of them have had their credit and debit information compromised shopping at their stores.

Target says at least 70 million people have been affected and shoppers at a Washington branch this morning are already taking precautions.

SHOPPER: I stopped using the credit card here at Target. I use cash now just in case because it’s really concerning.

LISA MILLAR: Did you shop at Target during the period?

SHOPPER: Yes I did and I usually use my credit card but thank god nothing has appeared anyway I still keep checking my account more now.

LISA MILLAR: High end retailer Neiman Marcus has revealed it too has been the victim of hacking. Some media networks are reporting that other US retailers were also hacked over the holidays but are yet to publicly disclose it.

Ken Stasiak, the CEO of SecureState says it’s now easily the biggest breach of this kind of data in history.

KEN STASIAK: This is serious for the retail industry and specifically for the payment card industry who handles the security for all your debit and credit cards.

LISA MILLAR: And how sophisticated is this hacking?

KEN STASIAK: The infrastructure the United States uses for debit and credit is pretty archaic. You know, we still use the mag stripes. We’re putting in security as best we can but the new threat agents that we’re seeing now with malware or these little software programs that the hackers are writing to really steal all this information, it is just too much for the retailers to keep up with.

So the hack itself isn’t necessarily that sophisticated, it’s been around for years, but I think now we’re starting to see that hackers are taking advantage of the poor security that’s been implemented.

LISA MILLAR: Why is America still using old technology?

KEN STASIAK: For years the infrastructure and the payment brands have been talking about it and it’s the adoption to get the retailers to move to you know, a chip and a pen technology that’s been implemented overseas.

LISA MILLAR: Similar to Australia?

KEN STASIAK: That’s right and you know, that definately would help but we’re using technology that’s you know, dating back to the 1960s and when you look at it, you know, the credit cards we use today in the United States has not changed. It still has a mag stripe, you still swipe it and it goes.

The infrastructure’s enabled that technology to make it more convenient for users to purchase things over the internet and very fast through the checkout lines but the security and infrastructure just can’t keep up with the emerging threats.

LISA MILLAR: Should customers be expecting more from retailers in this day and age?

KEN STASIAK: They should and you know, it’s a little appalling to hear that you know Target says that they were victim and (inaudible) markets. You know the victims are the consumers that had all their information stolen, who have fraudulent charges with the information leaked from Target.

You know, this could get to identify theft pretty quick or you are going to start seeing people hit their credit history and their reports so you know, we expect the retailers and people handling our information to protect it and clearly there’s been a breakdown.

LISA MILLAR: Ken Stasiak says previous breaches have been blamed on organized crime groups overseas.

The FBI and the Secret Service are investigating these attacks.

This is Lisa Millar in Washington for AM.

Target issued the following statement (found here):

Target today announced updates on its continuing investigation into the recent data breach and its expected fourth quarter financial performance.

As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach.

This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals. 

Much of this data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests.  This communication will be informational, including tips to guard against consumer scams. Target will not ask those guests to provide any personal information as part of that communication. In addition, guests can find the tips on our website.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Guests will have zero liability for the cost of any fraudulent charges arising from the breach. To provide further peace of mind, Target is offering one year of free credit monitoring and identity theft protection to all guests who shopped our U.S. stores. Guests will have three months to enroll in the program.

Meanwhile at Neiman Marcus is going through the melancholy task of notifying its customers of its own breach. Itnews covered the story in  Neiman Marcus notifying customers after card data breach which provides:

Neiman Marcus has been notifying customers of a data breach after hackers stole merchant card information for an undisclosed number of shoppers.

The high-end retailer said it was working with the U.S. Secret Service and a forensics firm to investigate the theft, which it said it learned about in December from its merchant card processor.

“On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers cards were possibly compromised as a result,” Neiman Marcus said in an emailed statement.

“We have begun to contain the intrusion and have taken significant steps to further enhance information security,” the company said.

Neiman Marcus didn’t say how the break in occurred or how many of its customers were affected, but it confirmed some customers’ card numbers were used improperly after they shopped at the store.

“We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after purchasing at our stores,” the company said via Twitter late Friday.

Neiman spokeswoman Ginger Reeder said she couldn’t provide any further details at this time. The store apparently confirmed the break-in after being contacted by security reporter Brian Krebs on Friday.

The incident follows a massive data breach at Target, another major U.S. retailer. Target originally said about 40 million people were affected in that incident, but on Friday it said the number could be as high as 110 million, or about one third of the US population.

In addition to credit and debit card numbers, thieves also took customer names, mailing addresses, phone numbers or email addresses, Target said in a statement released Friday.

In light of these stories it is sobering to note that Australia has no mandatory data breach notification laws.  The Privacy Alerts Bill 2013 lapsed last year while awaiting debate in the Senate.

Leave a Reply