It took a group of cyber criminals 19 days to steal the personal information of 40 million people from Target’s database, but it will take the retailer much longer to recover from the massive theft.
On Wednesday, security blogger Brian Krebs reported that Target (TGT) was investigating a security breach involving stolen credit and debit card information. The retailer confirmed Thursday that approximately 40 million in-store customers had their information comprised over a nearly three-week period that included the heavily trafficked shopping period surrounding Black Friday.
The value of the stolen personal information could be as much as $800 million depending on the extent of the criminals’ underground network. The security breach represents one of the largest at a major retailer since 2007 when criminals stole card numbers and other data from as many as 90 million cards belonging to T.J. Maxx, HomeGoods, and other discount chains owned by parent-company TJX.
“Everyone thinks today that this happens because of hackers, but that is long gone,” said Daniel Tobok, managing director of cybersecurity firm TELUS Security Solutions. “Now it has turned into highly sophisticated organized crime, which is very lucrative business.”
Target’s security breach demonstrates a devastating reality: Practically no consumer is safe from cyber attacks on their personal information. Target’s information security group is one of the best in retail, and if a breach of this magnitude can affect them, it can really affect anyone, said Rodney Joffe, a cyber crime expert and senior vice president of information and analytics firm Neustar.
The discount retailer did not disclose how an attack of this magnitude infiltrated its servers, saying only that a third-party forensics firm is investigating the situation. It is likely that the criminals took advantage of Target’s point-of-sale systems, Joffe said, which would allow them to create counterfeit cards and even withdraw money from customers’ accounts.
With a greater volume of shoppers coming through its doors, the retailer was particularly vulnerable to an attack around Black Friday.
“Everybody is running around like chickens with their heads cut off and they are worried about business and not security,” Tobok said. “The bad guys are smart. They know the best time to get in.”
An individual’s credit or debit card information could be worth as much as $20 on the black market. But it is highly unlikely that the criminals who organized the Target security breach will be able to capitalize on the information of all 40 million customers before the banks steps in and issue new cards on compromised accounts. As the U.S. Secret Service investigates the breach as well, Joffe estimates that the criminals will only get away with hundreds of thousands of dollars in fraudulent charges.
“It really is a race to see who is going to do what with the information first,” Joffe said.
Target is likely to suffer the biggest loss from the attack. When TJX (TJX) was breached in 2007, it cost the retailer more than $100 million to cover the costs of the subsequent investigation, security system upgrades, customer communications, and legal fees.
Financial costs aside, the retailer’s delayed response to, and acknowledgement of, the problem could have a lasting impact on its brand image. While the retailer did not disclose precisely when it became aware of the breach, it took more than three weeks after the first customer was compromised for Target to issue a statement.
“There is no way to hide it or hide from it and they need to be frank about it and what they are doing to improve,” said Donna Arbietman, the founder of Drum Marketing Communications. “I would give as much information as possible on as many channels as possible without compromising future transactions.”
As for the criminals, whether or not authorities catch them is moot, Joffe said.
“Even if they are caught, ultimately, that isn’t going to make it safer for us and it won’t make it any better for Target as a brand,” Joffe said. “There is always someone who thinks they have a better way of attacking a system and not even get caught.”
Clarification, December 20, 2013: The original version of this article understated the value of the fraudulent charges that the criminals responsible for the Target breach would get away with. It is hundreds of thousands of dollars, not $100,000.