In a riveting article, The New York Times provides a detailed report unveiling how Eastern European hackers were able to gain access to financial and personal data for 110 million Target customers, with little trouble.
For about a year, the hackers spent time and energy trying to crack into the networks of major American retailers. Much to the delight of the hackers, they found that Target had been using simple passwords on their remote-access servers.
Once they exposed the simple passwords, gaining access to the rest of Target’s network was simple. The hackers swiftly moved to Target’s customer data, accessing the in-store systems, containing consumer’s credit card and PIN numbers. The fruit of their labor was astonishing:
- 100 million consumers affected
- 70 million consumers’ credit card information obtained
- 40 million consumers’ personal data gathered
- $18 billion dollars in damages to banks and retailers
All Too Easy
The software, supposedly developed by a Russian teenager, called Kaptoxa, allowed the hackers to steal customer data directly off the magnetic strips of credit cards, which is normally sent to banks and credit card companies. In a hijacked server on the Target network, the hackers then stored this information.
Then, nothing. Weeks passed and Target had no idea their network had been breached. Consumers were flocking to the superstore to take advantage of holiday sales. It was only when the Secret Service contacted Target did they become aware about the huge security breach and how their consumers were unsuspecting victims.
Cleaning Up the Mess
Immediately, Target brought in security experts to figure out what had happened, how the hackers did it, and most importantly, how to stop it. The experts were able to track down the malware, delete it, and change all of the network passwords.
Target went public with the news on December 19, and the public response was both overwhelming and overwhelmingly negative. Over 70 lawsuits, many of them class action suits, have been filed against Target. In an effort to manage their customers concerns, Target has offered one year of free credit monitoring and identity theft protection to all consumers. Target will also invest $5 million to launch a campaign to educate consumers about cybersecurity and the dangers of phishing scams.
Unfortunately, security experts expect that the stolen credit card information will be available on hacker websites for at least a year.
Remember, your data is only as secure as your weakest password. We can only hope that all retailers storing our credit card information have finally learned this.