The Breach that Spoiled Christmas

Trouble stalks the land of milk and honey. Hackers and identity thieves prowl amid the flocks of shoppers like hyenas this busy Christmas season, picking off their prey. Thus, it seems I “purchased” a $241 Michael Koors handbag from Macy’s for someone in McAllen, Texas. It likely ended as Ebay NWT (new with tags). But that was just the beginning.

Next, my wife is telling me the Wall Street Journal reported a breach on Target. I started thinking about kill chains and how they should have protected their credit data base better. Then reports that the breach was massive start popping up like mushrooms all over the Internet. A friend sent me her breach disclosure notice.

Dear Guest,
We wanted to make you aware of unauthorized access to Target payment card data. The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013
We have determined that the information involved in this incident included customer name, credit or debit card number, and the card’s expiration date and CVV.”

Whoops…not supposed to be storing that CVV! Was this a database breach or a wiretap? The security folks at Target aren’t amateurs; this suggests either a highly sophisticated outside attacker and/or an insider may have been involved.

Then I looked at the dates. Oh heck, I was just shopping at Target myself. Was that how someone got my number for the Michael Koors handbag?

Fortunately, a credit card activity report download proved I’d been shopping at Target on November 16, well before the reported dates of the breach. Guess mine happened somewhere else…

But others aren’t so lucky. On Saturday, December 21 JP Morgan Chase began limiting daily cash withdrawals to $100 and putting on a $300 daily purchasing cap for debit card holders breached at Target. What if that was your only card and you hadn’t done your Christmas shopping and there’s only a few days left to shop? Then who would you call the Grinch that stole Christmas?

Have a Merry Christmas anyway!


CNBC: Weak U.S. Card Security Made Target a Juicy Target
Krebs Online: Cards Stolen in Target Breach Flood Underground Markets

Subscribe to Blog Notifications...  HERE