American retailers and their customers are living dangerously
According to Reuters U.S. Target Corp and Neiman Marcus are not the only American retailers that were breached over the holiday shopping season last year, however these other merchants did not publicly disclose the attacks
Smaller breaches on at least three other well known U.S. retailers took place and were possible because they used similar techniques as Target. These breaches have not come to light yet, and similar breaches may have occurred earlier last year.
According to Reuters and its sources, these were retailers with outlets in malls, but they declined to publicly admit the breaches. There might have been the same suspects the perpetrators that launched the successful attack against Target. They cannot be sure because they are still trying to find the culprits behind all of the security breaches.
Law enforcement sources stated that they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade.
Only Neiman Marcus stated that they too have been victim of a cyber attack since Target’s December 19, 2013 disclosure that some 40 million payment card numbers had been stolen in a cyber attack. Last Friday, January 10, 2014 the company admitted that the data breach is more severe than initially assumed. An investigation found that hackers stole the personal information of at least 70 million customers (!), including names, mailing addresses, telephone numbers and email addresses. Neiman Marcus communicated that the company is not sure if the breach was related to the Target incident.
TextileFuture knows also that Adobe has been the target of hackers in December and valuable information was stolen from their servers, also in Europe. Most American states have laws that require companies to contact customers when certain personal information is compromised, and Adobe did that. In many cases the task of notification falls on the credit card issuer.
U.S. merchants are required to report breaches of personal information, including social security number. It was not immediately clear if this was the case retailers who were attacked around the same time as Target. U.S. Secret Service and the Department of Justice are investigating the Target breach, but denied to comment.
Target has not disclosed how the attackers managed to breach its network or siphon off some of its most sensitive data. Reuter’s sources stated that investigators believe the attackers used similar techniques and piece of malicious software to steal data from Target and other retailers. One of the pieces of malware used was something known as a RAM scraper, or memory-parsing software, which enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears in plain text. The technology has been around for many years, its use has increased in recent years as retailers have improved their security, making it more difficult for hackers to obtain credit card data using other approaches.
Visa Inc issued two alerts last year about a surge in cyber attacks on retailers that specifically warned about the threat from memory parsing malware. The alerts published in April and August, provided retailers with technical details on how the attacks were launched and advice on thwarting them. It was not clear, whether Target’s security team had implemented the measures Visa recommended to mitigate the risks of being attacked. A law enforcement source stated that even if the retailer had implemented these steps, the efforts may not have succeeded in stopping the attack, because the attackers were more sophisticated than the ones in the previous attacks described in the Visa alerts.
Retailers seem to be often reluctant to report breaches out of concern that it would hurt their businesses. Target only acknowledged its 2013 attack after a security blogger reported the breach, prompting inquiries from journalists and investors.
Neiman Marcus declared that outside forensics firm discovered evidence on January 1, 2014 that indicated that the retailer had been the victim of a cyber attack. It disclosed the breach nine days later, after another inquiry from the security blogger, who was flowing up on reports about a surge in fraudulent charges traced to the retailer.
Target and J.C. Penney Co. Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers. During his trial the companies were represented by lawyers who did not identify their clients as Target and J.C. Penney. Disclosure is not given prior to the victims own disclosure, a fact that is frustrating to the banks and to the customers.
Reuter cites Avivah Litan, a security analyst for Stamford, Connecticut based Gartner information technology research firm. She stated that her company learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season and from a forensics investigator. She added: “Target was not the only retailer who got hit, but they got hit the at large. Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers to perfect new techniques they afterwards used against Target, stealing payment cards at unprecedented speed”.
Chris Gay, director of Denver, Colorado based Accuvant information security firm’s risk and compliance practice explained to Reuters that sophisticated cyber crime groups do proceed like that, because they only have once the chance to get it right before victims catch on! He added: “they wanted to test it and make sure it works, afterwards you push it out at the appropriate time and do as much damage as you can.”
European retailers seem to be more prudent on how they store the sensitive data and very often they use outside specialised sources to validate n(certify) their systems. Also European customers use their credit cards more carefully than their American counterparts. Therefore the American mass market seems to be more attractive to criminal hackers.