The US Company Target Corp has revealed that hackers stole sensitive data from some 110 million of their customers as part of a pre-Christmas data breach, way more than had previously been disclosed.
Earlier in December the third biggest US retailer, which sells discounted products, had said that about 40 million credit and debit cards had been affected in the data breach, which happened between November 27 and December 15.
But on Friday Target announced that the ongoing investigation into the fraud showed that other customer information as well as the originally reported payment card data had been stolen.
Affecting as many as 110 million customers, the stolen information included names, mailing addresses, phone numbers and email addresses of customers who had swiped their cards outside the 19-day breach period, according to Molly Snyder, a Target spokeswoman.
The company said that some overlap exists between the two data sets.
“I think they still have no idea how big this is. This is going to end up being much larger than 70 million and end up being the largest retail breach in history,” David Kennedy, a former US Marine Corps cyber chief intelligence analyst who now runs his own consultancy, told Reuters.
This is the second largest data fraud ever against a major US retailer. The largest one was found at TJX Cos Inc. when data from 90 million credit cards was stolen.
Target has said that none of the customers will have to shoulder any liability for the cost of the fraudulent charges. The company has said that it expects its full-year earnings per share to include charges related to the data breach, but couldn’t give an estimate of the cost.
Old technology opens door to hackers
The debit and credit card system used by Target as well as thousands of other US stores and businesses are obsolete and therefore much more vulnerable to cybercriminals.
Such scams often involve the company employees, who insert malware into the computer system processing sales or may have unwittingly clicked a link, which then downloads the malware.
In the case of Target the data was most likely stolen via the payment terminals, which scanned the magnetic strips on the back of the card.
But had Target used Chip and Pin cards, known as EMV, then this type of hacking would have been impossible. EMV cards encrypt the data and therefore make it much more difficult to intercept at the point of use.
But in the older cards the technology on the magnetic stripes is similar to that of cassette tapes, which became obsolete almost two decades ago and can be easily reproduced.
Only 1 percent of US cards have Chip and Pin technology, in contrast to more than 90 percent in the EU and four out five in Canada. Even the US cards that are fitted with EMV technology are not secure as only one in ten US payment terminals can actually process information from the chip.
US credit card issuers have been told they must fall into line with the rest of the world by October 2015, but US banks have calculated that the amount they lose from fraud is on average less than if they paid for a roll out of new cards and terminals across the country.
The banks also earn more in fees from processing the old fashioned signature verifications than they would do with a modern pin system.
“Compared to the tens of millions of transactions that are taking place every day, even the fraud that they have to pay is small compared to the profit they are making from using less secure cards,” Mallory Duncan, the general counsel at the National Retail Foundation, told AP.
In the rest of the world the change over to EMV was either made a legal requirement, or new payment services were put in where cards had not been used before as in developing markets, but in the US even by October 2015, it is estimated that only 60 percent of cards will be compliant with new technology requirements.