The U.S. retail industry is suddenly distressed by the news that the breach of Target’s online data–much of it the financial information of its customers–is part of a much wider, international attack on the security of several major retailers.
Details about Target’s cyber-attack are slowly starting to appear. Hackers broke through Target’s online security system, accessing the personal data–financial and otherwise–of more than 70 million shoppers. The credit card and debit card information of more than 40 million people is now considered compromised.
Investigators have made two revelations that are particularly disturbing for the industry at large. One, the code used to trespass into Target’s storehouse of customer data is highly sophisticated, using a specially designed software virus undetectable by existing anti-virus measures. The offending code was somehow injected into Target’s portal that accepts online payments for products; however, it is not yet precisely known how this was accomplished or how the code was so effectively hidden from detection. It has been reported that there is evidence some of the code was written by Russian programmers but, so far, no comment has been made about the attack potentially being a state coordinated act of espionage. In collaboration with the private cyber-security firm, iSight Partners Inc., the U.S. Department of Homeland Security (DHS) is conducting an investigation of the matter.
According to a report issued by iSight Partners, the “intrusion operator displayed innovation and a high degree of skill.” Tiffany Jones, a senior vice president at iSight Partners, added, “What’s really unique about this one is it’s the first time we’ve seen the attack method at this scale. It conceals all the data transfers. It makes it really hard to detect in the first place.”
Also, there is gathering evidence that the attack on Target was not an isolated incident but, rather, part of a sweeping salvo perpetrated against multiple retailers. At least at the time of the publication of this article, DHS officials have declined to expand upon this revelation. Over the holiday shopping season, Neiman Marcus also suffered a major breach of its customer data. Karen Katz, chief executive at the Neiman Marcus Group, has said that there is no dispositive evidence that their attack is related to the one directed against Target. She declined to provide specific information about the scope of the breach.
As a result of the exposure of so much private data, Target is now faced with nearly seventy-class actions suits alleging that it failed to take adequate steps to ensure the safety of its customers. Tina Wolfson, an attorney at Ahdoot & Wolfson P.C., who is the lead attorney on one of the suits, said that Target’s failure “to maintain reasonable security procedures, and delays in notifying customers, will put her clients at risk for identity theft for years.” She continued, “This could be the biggest case I’ve seen in number of people affected.”
Some conjecture that the Target case will likely expand into a new wave of consumer litigation. Paula Rosenblum, a retail technology analyst at RSR Research, said, “I’m not sure if it’s because of the NSA disclosures or what but I think we are hitting some kind of tipping point. The consumers are more unforgiving and the lawyers are more hungry.”