The security breach that hit Target Corp. during the holiday season seemed to be part of a broader and highly sophisticated scam that affected several retailers, according to a report published by a global cyber intelligence firm that works with the Secret Service and the Department of Homeland Security.
The report, released Thursday by iSight Partners of Dallas, offers more insight into the breach at Target, which affected 40 million credit and debit card accounts and has stolen the personal information — including email addresses and names — of as many as 70 million customers.
The report said a malicious software that infiltrated the point of sale system at the registers was “almost certainly derived” from BlackPOS, a crude but effective software product.
It said that starting in June, iSight began seeing the malicious software codes on the black market.
“The use of malware to compromise payment information storage systems is not new,” the report said. “However, it is the first time we have seen this attack at this scale and sophistication.”
The report noted that because this kind of software can “cover its own tracks,” the scale, scope and reach of the breach is not possible to determine without detailed forensic analysis.
“Organizations may not know they are infected,” the report said. “Once infected, they may not be able to determine how much data has been lost.”
Last week, Neiman Marcus said thieves stole some of its customers’ payment information and made unauthorized charges over the holidays. At the time, it said that was working with the Secret Service on the breach.
ISight said in the report it doesn’t address the names of retailers and can’t discuss whether the malicious software affected Target, Neiman Marcus and other retailers. However, the report offers the latest evidence that the two are related and that other retailers were victims of a broader data scheme.
Emails and calls to iSight were not immediately returned.
Molly Snyder, Target spokeswoman, said the retailer did not have any details to share on the report at this time.
Neiman Marcus Group said Thursday that, to its knowledge, customers’ Social Security numbers and birthdates were not stolen during its security breach.
The luxury retailer, based in Dallas, also confirmed that customers who shopped online do not appear at this time to have been affected by the criminal cybersecurity intrusion, and it said personal identification numbers, or PINs, were never at risk because the retailer does not require PIN pads in its stores.
Neiman Marcus spokeswoman Ginger Reeder declined to say how many people were affected by the scam, noting that the investigation is ongoing.
About the Author
