More retailers hit by security breaches; malware found on Target's POS machines

More retailers hit by security breaches; malware found on Target's POS machines

Summary: A series of attacks on US retailers could be larger than thought, with several victims yet to come forward.

TOPICS: Security

It looks like Target isn't alone in suffering a major data breach recently.

There may be several other retailers besides Target and Neiman Marcus that were hit by hackers over the holiday season, according to Reuters.

The full extent of a recent round of attacks on US retailers' IT systems, thought to have been launched by hackers in Eastern Europe, is yet to be made known to customers affected by them.

Target last week revealed that hackers had pilfered 70 million of its customers' names, mailing address, phone numbers, email address and payment card data — up from the 40 million it initially reported in mid-December.

Last week, upscale department store Neiman Marcus also confirmed that its customer database had been hacked in mid-December, although the company has not revealed how many customers were affected.

In a statement to security researcher Brian Krebs, Neiman Marcus said it was informed of the breach by its credit card processor in mid-December. It too said customer credit card details may have been compromised. 

The timing of the breaches has prompted speculation that the retailers were hit by the same hackers; however, it's not been confirmed the two breaches are linked.

According to Reuters, at least three other well-known US retailers were hacked using similar methods as the attack on Target.

Target has not disclosed how the hackers breached its security systems, although Reuters' sources pointed to a sophisticated class of malware known as RAM scrapers, which are built to steal payment data from point of sale systems.

In an interview with CNBC on Sunday, Target CEO Gregg Steinhafel said the company had established that its POS machines were infected with malware.

"What we do know is that there was malware installed on our point of sale registers. That much we have established. We have removed that malware so that we could provide a safe and secure shopping environment." He added that the investigation into the breach is still ongoing.

While the loss of payment card data in the breaches have prompted calls for a review of affected companies' compliance with Payment Card Industry data security standards (PCI DSS), RAM scrapers are designed to bypass encryption methods that are encouraged by the standards.

More on this story

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Target did not have 70 million customers between Black Friday and Dec 15

    This data breach had to originate much earlier than Target is admitting. There is no way Target rang up 70 million transactions , let alone customers , in 22 days. The malware must have been collecting Credit Card data long before November.
    • Wrong!

      Actually in my experience its quite easy for a chain such as Target to ring up 70 million transactions in 22 days. Unfortunately these chains very often rely on a corporate firewall to keep their POSes clean and rarely have a virus scanner in the store to ensure that internal infections are not stopped before they reach the POSes.
    • Actually...

      Since it was their database that was compromised, that 70 million was likely every customer they have had who used any form of plastic for payment, not just recent sales. It was "customer data" not sales data.
      Iman Oldgeek
      • Really?

        Target has 1797 stores. They'd only have to average a 1012 customers per day at each store to reach 40m in 22 days. I'd imagine they easily get 5 times that on average per store per day and a large percentage use a debit/credit card. Heck some people even split purchases between multiple cards. Even these increased numbers aren't remotely surprising if even half of the stores were affected.
  • Sears hack, yet to be mentioned by Sears!

    Check your bank accounts.
    If you have made a purchase from sears over the holidays you might want to check your bank account.
    I looked at my Amplify account this morning and noticed a return going into my account from for 49.00?
    I look a week back and noticed a 300.00 charge to my account from, that went thru Jan 6th.?
    Yet the call to Sears: They can't find any transaction on my account except for the one purchase I made on Dec. 22nd while I was at the mall (Lakeline).
    I am sure this is a hack just like others!
    Wish me luck
    • How would you know it was a hack if Sears hasn't said anything?

      And how can you see it, but not Sears? Is it on your paper statement that you can fax them?

      That sounds weird, but with these retailers (and citicard being the processor) anything is possible!
      • hack sears

        It says on my account with ampify, yet Sears does not see any transaction except for the purchase on the 22nd.

        Sears doesn't see the other 2 transactions. I am now dealing with my bank. They say it could take up to 2 weeks to get my money back.
        • Could it be....

          that YOU were hacked and not Sears? Well, perhaps YOU weren't hacked but perhaps your card number was compromised. While it's natural for victims to feel violated and want others to know their story, right now the only thing we know is that you had fraudulent charges show up on your account.

          The fact that it mentions "Sears" in the transaction description doesn't mean much. In fact it's plausible that thieves would use a common name like "Sears" in the hope that it won't be noticed on a customer's statement.
    • My financial institiutions

      issued new cards since I shopped at Target using a couple of different cards. Tech is great but opens us up to so many privacy concerns. Can we really trust Corporations to secure our financial information? I'm sure Target will clean up their mess and past the cost to their customers through various price hikes. Thanks Target but I won't be shopping at your stores until you show me a few years of consistent security.
    • piece of shi. machines

      after many questions to the bank they said my data could have been stolen from anywhere I purchased anything! And that it could have been last week or months ago! Who knows?
  • when are people going to learn to stop clicking random exe files

    especially on a POS credit card system? However, newer card swipers just send the encrypted data up to the cloud for decryption, so the RAM scraper wouldn't be useful.

    "The socially engineered filenames we have observed include Taskmgr.exe, windowsfirewall.exe, sms.exe, java.exe, win-firewall.exe, and adobeflash.exe. This suggests that the files were delivered as part of a phishing campaign, or social engineering tricks were used to infect the system."
    • Sears hack

      Hey Dr.

      Who said anything about clicking on a exe?
      • that was mentioned in one of the links in this article
        • pos

          Thanks for the information I read from the link, very interesting!
  • Target POS Infected...

    This is the first time I've heard that Target's POS system was infected. A couple of assumptions:

    --- They should be using white-list protection schemes. The POS software image should be very stable. Since it's a single-task device, a white-list scheme would have eliminated this breech since it would have killed/quarantined any unauthorized (i.e. not part of the while-list) executable or library that tries to execute on the machine.

    --- If this is the only system compromised -- SHAME ON TARGET for storing customer data on their POS. It's absolutely ridiculous to store customer names, e-mail addresses, postal addresses and whatever else the media has claimed might have been compromised. This is completely irresponsible, IT heads should roll, Target should get penalized by PCI and whatever appropriate government agency should investigate them and fine the crap out of them. A fitting punishment would be for the PCI industry to cut them off until they can demonstrate they've completely changed their system to honor their customer's privacy and protect card holder information.

    --- Double SHAME on target for passing non-truncated card-holder data to the POS. The payment device should be handling the authorization and simply relay the truncated data and authorization code to the POS for storing in the TLOG. With this approach the only thing that can be still be compromised is when a card won't swipe and the cashier has to enter the card number manually.
    • POS is not a single function machine any more.

      A lot of retailers have their own type of "Rewards" program, they have customers sign up for. "Buy so much from Target and get discounts on our Target Trinkets program." The sign up for these programs is IN THE POS machine now. That is how these customers personal info got tapped.
    • Not the first compromise

      I was a seasonal cashier at Target in 2012, in my 3 months there were two separate compromises within the coupon system. One allowed for a customer to present a barcode for the cashier to scan (up to three times) and would immediately and automatically take $20 off the total. For any item. The store policy was to give cash back to any person who's total redeemable coupons added up to a negative sum, meaning some "guests" potentially got up to $60 minus the cheapest item for free.
  • POS's are POS's. LOL

    isn't it funny that point-of-sale machines and piece-of-s**t have the same initials? OH! the irony.

    I think WPA2 got busted folks. First it was WEP, then WPA (1), now it's WPA2. I think we need to go back to wired connections, at least in the retail stores. It will not stop all breaches, but it just might help retailers get out in front of this. Instead, retailers seem to be out in front of a bus barreling down on them.
  • well...

    Maybe their free trial of Mcafee ran out :) is the only company I rely on to keep my PC running safe.
  • Laws are not strict enough

    Being an IT for 20 years scamming has become an every day event with no help from the authorities. The bottom line here, is "the laws are not strict enough." They need to come up with a strict law like " serve 25 years no chance of parole" if ever caught & prosecuted for hacking & scamming. Then you will see this junk start going away. But it's obvious no one is interested in making our computer systems safe for our families. When one of the well known politicians get scammed & lose everything, then something might happen. Right now all the attention is on obama rip of care which should have never been approved. But hopefully something will be done to help us with hacking & scamming.