Malware in Target’s registers harvested millions of card details for weeks, chain admits

Malicious software was installed in tills in Target stores across the U.S. and went undetected for weeks, the chain has admitted, harvesting information from the magnetic stripes on customer cards during transactions.

The infiltration went undetected from late November until 15 December, according to The Register’s report.
In an interview with CNBC, Chief Executive Gregg Steihafel said that the investigation was still “ongoing” and defended the four-day wait between the chain’s discovery of the attack, and its announcement to consumers.

“There was malware installed on our point-of-sale registers,” he said, “That much we have established. This investigation is ongoing, and it is going to take some time before we understand the extent of what has happened.”

“Sunday December 15 was really day one,” Steihafel told CNBC. “That was the day we confirmed we had an issue and so our number one priority was … making our environment safe and secure. By six o’clock at night, our environment was safe and secure. We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk,” he said.

“Day two was really about initiating the investigation work and the forensic work … that has been ongoing. Day three was about preparation. We wanted to make sure our stores and our call centers could be as prepared as possible, and day four was about notification.”

While Target launched a PR campaign to win back the trust of shoppers, including the revelation that malicious software was likely involved in the theft of data on up to 110 million cards, there were fresh developments from the leading retail trade association, the National Retail Federation (NRF). As reported by Reuters, the organization called for stronger security for cards. Reuters is also reporting that three more retailers are affected by similar breaches, but did not name names.
Target was not the only retailer to suffer such attacks during the holiday season – upscale luxury-goods store Neiman Marcus admitted that customer cards had data stolen during the same period, as reported by We Live Security here.

Three other retailers were also targeted during the same period, but have yet to make statements, according to CNET. Sources told Reuters that the same techniques were used to attack three “well-known” retailers, who suffered smaller breaches.