latest updates from easySERVICE™
It all started from names, mailing addresses, phone numbers and email addresses for up to 70 million people were stolen along with payment card data. Target first disclosed the data breach in mid-December 2013. Then in January 2014 Target disclosed the loss of payment card data.
According to the retailer, the latest disclosure doesn’t represent a new breach, but was revealed as part of its first investigation. Millions of U.S. citizens had their financial information and personal data stolen due to a security breach at Target, and it may be that a phishing email campaign is to blame.
Reported by cybersecurity expert Brian Krebs in February, a third-party heating and air-conditioning contractor may have provided the avenue for infiltration of Target systems — thanks to a phishing email campaign that at least one employee succumbed to.
The data theft was caused by the installation of malware on the firm’s point of sale machines, thought to be accessed via third-party vendors with security flaws in their systems, which provided the bridge for hackers to break in to Target.
The subsequent file dump containing customer data is reportedly flooding the black market, where it could be used to pilfer cash from accounts, be the starting point for the manufacture of fake bank cards, or provide data required for identity theft.
According to Krebs, sources close to the investigation say that credentials were stolen from Fazio Mechanical in a malware-injecting phishing attack sent to employees of the firm by email. Believed to have begun two months before the subsequent data theft, the campaign has been linked to the Citadel malware — a password stealing program related to the Zeus banking trojan.
In a statement , Fazio said it could not comment on the technical details of the breach, but admitted the firm was “a victim of a sophisticated cyber attack operation,” and “is not the subject of the federal investigation.” In addition, Fazio maintains its IT system and security measures are in “full compliance” with industry practices.
However, as Krebs notes, the firm’s primary security protection was through the free version of Malwarebytes Anti-Malware. While suitable for individual consumers and good as a clean-up program, the free version is not permitted for use on corporate systems and should not be used as a sole provider of protection — especially on business networks — as it does not provide a real-time scanner unless the Pro version is purchased.
Target is currently working with the U.S. Secret Service and FBI to investigate the breach and attempt to track down the cyberattacks. However, the retailer is not alone as a high-profile victim of cyberattack — in January, U.S. retailer Neiman Marcus Group admitted its own security breach which resulted in credit card scraping of 1.1 million customers.
Source: Associated Press