If you shopped at Target between 11/27/2013 and 12/15/2013, congratulations. Your credit or debit card info is one of around 40 million up for sale in a thriving underground marketplace complete with wholesalers, distributors, retailers, and easy to use websites. Replace your card right now before bad things happen.
Brian Krebs broke the story in his blog, Krebs on Security, and the public owes Krebs a debt of gratitude. Here is the original story. Here is a follow-up post. Target blew it. Target should have notified customers and broken the story itself. But instead of proactively notifying its customers, Target apparently responded to the Krebs blog, as did the rest of the popular press.
The more onion layers peeled back, the scarier this gets. Where did that date range between Nov. 27 and Dec. 15 come from? Apparently, banks buy samples of stolen credit card info from those same underground markets and look for patterns. The big thing all these cards have in common is – you guessed it – transactions at Target during that time window. That’s why the press is reporting the date range of 11/27 through 12/15/2013, not because of anything Target found and reported about its systems.
Let this sink in for a minute. That date range came from looking at samples of cards already stolen and not from any analysis of whatever was penetrated to get the card numbers. As of Christmas eve, 2013, we still don’t know what specifically was penetrated, which means we don’t know what else is at risk or what steps the public can take to protect itself. Here is an article with some expert speculation, but it’s only speculation from the outside.
Target claims the vulnerability is now closed and offers reassuring press releases to soothe the general public. But with no guidance on what was penetrated and what specific steps Target took to close the vulnerability, the press releases so far offer nothing of value. The public trusted Target before the theft and now 40 million credit card numbers are up for grabs. Why should the public trust Target now? What’s different?
If anyone from Target reads this blog post, Crisis Management 101 suggests transparency and disclosure. The worst thing you can do is hide. Instead of reacting to events and putting out vague press releases that offer no useful information, get in front of this story and tell the public specifically what happened and what you’re doing about it. Introduce us to the people working around the clock to plug the gaps. Show us how hard you’re working to fix the problem. Convince us that shopping at your stores won’t expose us to identity theft. Treat this like a crisis, because it really is a crisis.
Are we all in this together, as your press releases promise, or are those just empty PR words? Smart people who know how transaction systems are supposed to work are watching.
(First published on my Infrasupport website on Dec. 24, 2013. I back-dated it here to match the original date.)