Looks like 40 + 70 =
110 Million “items” 40 Million card numbers (or transactions)
and 70 million “other things” so far. But we're not sure what
happened so there may be more.
Target
CEO promises to make 'significant changes' after huge data breach
The head of retail
powerhouse Target is pledging to "make significant changes"
in the wake of the latest revelation that as many as 110 million
customers were ensnared in a massive data heist at stores across the
country.
"Clearly, we're
accountable and we're responsible. But we're gonna come out at the
end of this a better company," Gregg Steinhafel — Target
chairman, president and chief executive officer — told CNBC's Becky
Quick in an exclusive interview that will air in full on Monday
morning. "And we're gonna make significant changes."
… The retailer has
said at least 70 to 110 million customers — a more massive number
than previously disclosed in December, when the breach was first
reported — were struck by the holiday-season data theft, making it
one of the largest security breaches of its kind.
… When asked why it
took the company four days to notify customers of the breach,
Steinhafel said it “wanted to make sure our stores and our calls
centers could be as prepared as possible,” adding that employees
“worked around the clock to try and do the right thing.” [Four
days is not too bad. Bob]
And Steinhafel told
CNBC that the company still doesn't yet "know
the full extent of what transpired."
"But what we do
know was there was malware installed on our point-of-sale registers.
That much we've established," he said.
(Related) and
inevitable.
State
prosecutors launch Target data breach investigation
State prosecutors in
New York and Connecticut said they'll investigate Target
Corp.'s massive data breach.
(Related)
Timeline
of Target's data breach
Nov. 27 to Dec. 15
Cyberthieves gain access to information on millions of debit and
credit cards from Target
customers.
Dec. 18 Target CEO,
Gregg
Steinhafel, issues a rare statement on holiday
sales, saying, “We are pleased with Target’s holiday
performance.”
Dec. 18 Computer
security blogger Brian Krebs posts story saying Target is confronting
a security breach involving millions of debit and credit cards.
Dec. 18 A spokeswoman
for American Express confirms the data breach sayings they’ve
launched their own investigation.
Dec. 18 The Secret
Service confirms to other media sources it has begun its own
investigation.
Dec. 19 Target confirms
that credit and debit cards information of 40 million customers may
have been exposed.
Dec. 20 Steinhafel
issues an apology to customers and offers a discount to shoppers for
the weekend.
Dec. 23 U.S. Department
of Justice steps into investigation.
Dec. 23 Target says the
data breach involved malicious software on the point-of-sale
card-swiping devices in the checkout aisles of its stores.
Dec. 27 Target
acknowledges that, contrary to early reports, personal identification
numbers to debit and credit cards were also exposed.
Jan. 3 TCF
Bank joins other banks in “replace-them-all
approach” to Target’s security breach, will issue new cards to
its affected customers.
Jan. 10 Target
announces that personal information of 70 million customers also
exposed during the breach, but the amount of overlap with the
financial data of 40 million people is unclear. At worst, data of up
to 110 million people was accessed from Target’s system.
(Related) Even bigger?
More
well-known U.S. retailers victims of cyber attacks, but stores
tight-lipped
Target Corp. and Neiman
Marcus are not the only American retailers whose networks were
breached during the holiday shopping season, according to sources
familiar with attacks on other merchants that have yet to be publicly
disclosed.
Smaller breaches on at
least three other well-known American retailers took place and
were conducted using similar techniques as the one on Target,
according to people familiar with the attacks. Those breaches have
yet to come to light. Similar breaches may have occurred earlier
last year.
Another for the “No
good deed goes unpunished” file? What other options are available?
Are there safe harbors for whistle blowers? If not, is anyone
interested in starting one?
Jeremy Kirk reports:
An
Australian teenager who notified a public transport agency of a
serious database flaw is under police investigation.
Joshua
Rogers, 16, of Melbourne, found a SQL injection flaw in a database
owned by Public Transport
Victoria (PTV), which runs the state’s transport
system.
The
flaw allowed access to a database containing 600,000 records,
including partial credit card numbers, addresses, e-mails, passwords,
birth dates, phone numbers and senior citizen card numbers.
A
PTV spokeswoman said Friday police were notified as a “matter of
process” because of the breach. She said she could not comment
if PTV wanted to see Rogers prosecuted.
Read more on TechWorld.
This is the kind of
stupid response or policy that discourages people from reporting
vulnerabilities. The investigation should be about verifying and
closing the vulnerability as the first priority, and then determining
why the teen’s attempts to notify them through their own channels
failed and left him no choice but to go to the media.
“By their failures
you shall know them”
Pamela Jones Harbour
writes:
Concerns
about privacy practices in the data broker industry, and the privacy
implications about the lack of transparency “behind-the-scenes,”
will remain a topic of intense regulatory and legislative focus in
2014. The Federal Trade Commission has defined “data brokers” as
companies that collect personal information about consumers from a
variety of public and non-public sources and resell the information
to other companies. The reselling of consumer information may occur
for purposes that include the marketing of products; verifying an
individual’s identity; differentiating records; or preventing
financial fraud. However, there is no statutory definition of
data brokers, nor are there laws requiring data brokers to maintain
the privacy of consumer data – unless the data is used for purposes
under the Fair Credit Reporting Act (FCRA), such as credit,
insurance, housing or employment. 2014 will bring renewed and
expanded FTC and legislative scrutiny relating to three diverse
categories of data brokers, identified in the FTC 2012 Privacy
Report, reflecting different levels of data sensitivity:
Read more on
BakerHostetler Data
Privacy Monitor
No one “likes” my
Blog!
http://www.makeuseof.com/tag/facebook-likes-lawsuit-windows-9-way-star-wars-photos-tech-news-digest/
Facebook
Likes Lawsuit, Windows 9 On Way, Star Wars Photos [Tech News Digest]
… Facebook has been
hit with a class action complaint related to its use of Likes in
advertising on the site. According to GigaOM,
Anthony Ditirro of Colorado
claims Facebook informed his friends he Liked USA Today even though
he hadn’t ever stated as much.
The complaint reads,
“Although PLAINTIFF has nothing negative to say about USA TODAY
newspapers, PLAINTIFF is not an avid reader of USA TODAY, nor does
PLAINTIFF endorse the newspaper.” Ditirro claims he never
actively Liked USA Today or even visited its website.
Ditirro is seeking $750
(the minimum amount set out with a related California law) for the
alleged offence. He’s also keen for other people falsely cited in
similar ads to join the lawsuit.
Facebook responded by
saying, “The complaint is without merit and we will defend
ourselves vigorously.” This is a line Facebook must be
getting used to repeating, with the social network having been hit
with a series of lawsuits related to the way it leverages
its userbase for advertising efforts.
No comments:
Post a Comment