Target’s huge data breach likely to be followed by more, experts warn

Target’s huge data breach likely to be followed by more, experts warn

Amid reports Friday that credit and debit-card information stolen from up to 40 million Target customers already is being sold on the black market, security experts warned that such attacks not only will continue but could worsen.

While businesses are experimenting with new ways to deter cyberthefts, the experts noted, the crooks are getting smarter about exploiting vulnerabilities in the growing ranks of companies whose operations are linked across the world’s vast computerized networks.

“The reality is that these incidents are only going to increase,” said Paul Lipman, CEO of Redwood City security firm Total Defense. “It’s a result of the increasing connectivity of everything we touch.”

Target, meanwhile, scrambled Friday to reassure customers by offering free credit monitoring and encouraged them to keep shopping during the holiday season by announcing a 10 percent discount this weekend. That may do little to calm the popular discount retailer’s angry customers, many of whom said they couldn’t reach anyone Friday at Target’s hotline, 866-852-8680.

“I’m furious and I’m frustrated,” said Mia Siegel, of Danville, who said she was among those who shopped at a local Target store during the Nov. 27 to Dec. 18 data breach and who hasn’t been able to get through on the hotline. Each time she called, she said, “You have to go through the whole phone tree, and they tell you, ‘Just a minute, we’ll have someone help you,'” and then “it just hangs up on you.”

Other people lodged similar complaints on Target’s Facebook page, and San Francisco resident Jennifer Kirk on Friday sued the chain in federal court, claiming it “failed to implement and maintain reasonable security procedures.”

Target spokeswoman Molly Snyder acknowledged in an emailed statement that “we are experiencing significantly higher volume than normal to our call centers,” and added, “we are working hard to resolve this issue by adding team member support and system capacity as quickly as possible. We apologize for the inconvenience.”

The company, which said it is “hearing very few reports of actual fraud,” still hasn’t disclosed details about how the attack occurred. But on Friday, Brian Krebs — a well-respected cybersecurity blogger who first disclosed the breach — reported that credit and debit-card data stolen in the attack “has been flooding underground black markets in recent weeks.” He added that the purloined information has been “selling in batches of one million” for $20 to more than $100 per card.

Experts said retailers are experimenting with a number of technologies to minimize the impact of such incidents.

Some are designed to spot attacks minutes after they begin instead of taking days, which is often the case now, said Hugh Thompson of Sunnyvale security company Blue Coat. While that might not stop crooks from stealing information, he added, “it’s a way to vastly reduce the impact of it” by letting firms react more quickly.

Another method is to encrypt more parts of the business’s operations, so that even if some data is stolen, it will be harder for the thieves to decode, said Terence Spies of Cupertino-based Voltage Security.

Marc Maiffret of Phoenix security company BeyondTrust added that many retailers will likely be prompted by Target’s breach to hire consultants to identify their vulnerabilities and suggest improvements.

But he characterized the on-going battle with cybercrooks as a “cat and mouse game,” noting that every time businesses make their systems safer, the bad guys figure out new ways to exploit them.

Eric Chiu, president of Mountain View security company HyTrust, agreed. “As thieves get more savvy,” he concluded, “we should absolutely expect that we will see more breaches of greater magnitude.”

In a report detailing the problems it expects in 2014, Japanese security firm Trend Micro predicted “we’re going to have one or more events like this every month,” said J.D. Sherry, the company’s vice president of technology and solutions.

He noted that one reason for the grim assessment was that many retailers still use Windows XP as their operating system, Because the software is a dozen years old and will no longer be fortified with security updates from Microsoft after April, he added, “this is a big problem.”

But for Target, its immediate focus was the fallout from the attack. In a statement, Target CEO Gregg Steinhafel noted that just because someone shopped at Target during the attack “doesn’t mean they are victims of fraud” and emphasized that those customers “will not be held financially responsible for any credit and debit card fraud.”

Contact Steve Johnson at 408-920-5043. Follow him at