Monday, January 13, 2014

Looks like 40 + 70 = 110 Million “items” 40 Million card numbers (or transactions) and 70 million “other things” so far. But we're not sure what happened so there may be more.
Target CEO promises to make 'significant changes' after huge data breach
The head of retail powerhouse Target is pledging to "make significant changes" in the wake of the latest revelation that as many as 110 million customers were ensnared in a massive data heist at stores across the country.
"Clearly, we're accountable and we're responsible. But we're gonna come out at the end of this a better company," Gregg Steinhafel — Target chairman, president and chief executive officer — told CNBC's Becky Quick in an exclusive interview that will air in full on Monday morning. "And we're gonna make significant changes."
… The retailer has said at least 70 to 110 million customers — a more massive number than previously disclosed in December, when the breach was first reported — were struck by the holiday-season data theft, making it one of the largest security breaches of its kind.
… When asked why it took the company four days to notify customers of the breach, Steinhafel said it “wanted to make sure our stores and our calls centers could be as prepared as possible,” adding that employees “worked around the clock to try and do the right thing.” [Four days is not too bad. Bob]
And Steinhafel told CNBC that the company still doesn't yet "know the full extent of what transpired."
"But what we do know was there was malware installed on our point-of-sale registers. That much we've established," he said.

(Related) and inevitable.
State prosecutors launch Target data breach investigation
State prosecutors in New York and Connecticut said they'll investigate Target Corp.'s massive data breach.

Timeline of Target's data breach
Nov. 27 to Dec. 15 Cyberthieves gain access to information on millions of debit and credit cards from Target customers.
Dec. 18 Target CEO, Gregg Steinhafel, issues a rare statement on holiday sales, saying, “We are pleased with Target’s holiday performance.”
Dec. 18 Computer security blogger Brian Krebs posts story saying Target is confronting a security breach involving millions of debit and credit cards.
Dec. 18 A spokeswoman for American Express confirms the data breach sayings they’ve launched their own investigation.
Dec. 18 The Secret Service confirms to other media sources it has begun its own investigation.
Dec. 19 Target confirms that credit and debit cards information of 40 million customers may have been exposed.
Dec. 20 Steinhafel issues an apology to customers and offers a discount to shoppers for the weekend.
Dec. 23 U.S. Department of Justice steps into investigation.
Dec. 23 Target says the data breach involved malicious software on the point-of-sale card-swiping devices in the checkout aisles of its stores.
Dec. 27 Target acknowledges that, contrary to early reports, personal identification numbers to debit and credit cards were also exposed.
Jan. 3 TCF Bank joins other banks in “replace-them-all approach” to Target’s security breach, will issue new cards to its affected customers.
Jan. 10 Target announces that personal information of 70 million customers also exposed during the breach, but the amount of overlap with the financial data of 40 million people is unclear. At worst, data of up to 110 million people was accessed from Target’s system.

(Related) Even bigger?
More well-known U.S. retailers victims of cyber attacks, but stores tight-lipped
Target Corp. and Neiman Marcus are not the only American retailers whose networks were breached during the holiday shopping season, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed.
Smaller breaches on at least three other well-known American retailers took place and were conducted using similar techniques as the one on Target, according to people familiar with the attacks. Those breaches have yet to come to light. Similar breaches may have occurred earlier last year.

Another for the “No good deed goes unpunished” file? What other options are available? Are there safe harbors for whistle blowers? If not, is anyone interested in starting one?
Jeremy Kirk reports:
An Australian teenager who notified a public transport agency of a serious database flaw is under police investigation.
Joshua Rogers, 16, of Melbourne, found a SQL injection flaw in a database owned by Public Transport Victoria (PTV), which runs the state’s transport system.
The flaw allowed access to a database containing 600,000 records, including partial credit card numbers, addresses, e-mails, passwords, birth dates, phone numbers and senior citizen card numbers.
A PTV spokeswoman said Friday police were notified as a “matter of process” because of the breach. She said she could not comment if PTV wanted to see Rogers prosecuted.
Read more on TechWorld.
This is the kind of stupid response or policy that discourages people from reporting vulnerabilities. The investigation should be about verifying and closing the vulnerability as the first priority, and then determining why the teen’s attempts to notify them through their own channels failed and left him no choice but to go to the media.

“By their failures you shall know them”
Pamela Jones Harbour writes:
Concerns about privacy practices in the data broker industry, and the privacy implications about the lack of transparency “behind-the-scenes,” will remain a topic of intense regulatory and legislative focus in 2014. The Federal Trade Commission has defined “data brokers” as companies that collect personal information about consumers from a variety of public and non-public sources and resell the information to other companies. The reselling of consumer information may occur for purposes that include the marketing of products; verifying an individual’s identity; differentiating records; or preventing financial fraud. However, there is no statutory definition of data brokers, nor are there laws requiring data brokers to maintain the privacy of consumer data – unless the data is used for purposes under the Fair Credit Reporting Act (FCRA), such as credit, insurance, housing or employment. 2014 will bring renewed and expanded FTC and legislative scrutiny relating to three diverse categories of data brokers, identified in the FTC 2012 Privacy Report, reflecting different levels of data sensitivity:
Read more on BakerHostetler Data Privacy Monitor

No one “likes” my Blog!
Facebook Likes Lawsuit, Windows 9 On Way, Star Wars Photos [Tech News Digest]
… Facebook has been hit with a class action complaint related to its use of Likes in advertising on the site. According to GigaOM, Anthony Ditirro of Colorado claims Facebook informed his friends he Liked USA Today even though he hadn’t ever stated as much.
The complaint reads, “Although PLAINTIFF has nothing negative to say about USA TODAY newspapers, PLAINTIFF is not an avid reader of USA TODAY, nor does PLAINTIFF endorse the newspaper.” Ditirro claims he never actively Liked USA Today or even visited its website.
Ditirro is seeking $750 (the minimum amount set out with a related California law) for the alleged offence. He’s also keen for other people falsely cited in similar ads to join the lawsuit.
Facebook responded by saying, “The complaint is without merit and we will defend ourselves vigorously.” This is a line Facebook must be getting used to repeating, with the social network having been hit with a series of lawsuits related to the way it leverages its userbase for advertising efforts.

No comments: