Update: Target, Neiman Marcus Credit Card Hacker Is A 17-Year-Old From Russia
Update: Experts think they’ve already figured out who was behind the security breach of Neiman Marcus and Target customer data. Turns out it was one hacker — a 17-year-old from Russia.
A just-released report by the cyber intelligence group IntelCrawler, found the culprit who goes by the username “ree4,” reports Slate. According to the report, he seems to have created the point-of-sale malware used on Target, Neiman Marcus, and six other large U.S. retailers, and possibly more.
Based in St. Petersburg, ree4 sold his “BlackPOS” malware to more than 60 cyber-criminals in Eastern Europe and other regions, found the report. And IntelCrawler’s president, Dan Clements, told PCWorld that the organization is “90 percent” sure its ree4.
Although ree4 didn’t take part in the hacks, he did write and sell the malware. While Target declined to comment to The Washington Post, a spokeswoman for Neiman Marcus explained hackers were able to install the BlackPOS malware because the credit card terminals at the retailers they targeted had default weak passwords that were guessable.
The New York Times has also reported that Neiman Marcus was hacked previously — in July, in fact. The retailer didn’t even know about the problem until mid-December. It just took action.
First there was the news of the massive customer data breach over at Target. Now comes work that luxury department store chain Neiman Marcus — and possibly several other retail companies — have had customers’ credit and debit card information stolen by hackers.
The news keeps getting worse and worse for Target customers. The store has announced that the data breach that hit just before Christmas was much larger than the company previously said. In reality it affected between 70 million and 110 million people, reports The New York Times. On Dec. 19 Target said it was about 40 million in-store customers. Moreover, mailing and email addresses, names and phone numbers were hacked.
According to Neiman Marcus, its credit card processor alerted the retailer in December about potential unauthorized payment card activities. The U.S. Secret Service is now investigating.
There have been smaller breaches on at least three other well-known U.S. retailers as well, say people familiar with the attacks. Similar breaches may have happened even earlier last year. Some of the attacks, say the sources, involved retailers with outlets in malls, though they declined to elaborate.
“Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cyber crime cases have been hatched over the past decade,” reports Reuters.
For fear it could hurt business, retailers are often reluctant to report breaches. Target, for example, only acknowledged its 2013 attack after security blogger Brian Krebs wrote about the breach. Neiman Marcus waited nine days to disclose its breach. “Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers,” reports Reuters.
In most states, companies are required by law to contact customers when certain personal information is compromised. And merchants are required to report security breaches of personal information including social security numbers. Banks and credit card firms such as Visa are forbidden from naming merchants that have been breached. It is up to the merchants to disclose it themselves.
Reuters reports that the attacks are similar in nature, with a RAM scraper, or memory-parsing software, possibly among the malicious software used. It enables cyber criminals to grab encrypted data by capturing it when it travels through the live memory of a computer, where it appears not as encrypted data but as plain text, the sources said.
Last year, Visa issued two alerts about a surge in cyber attacks on retailers and they specifically warned about the threat from memory parsing malware. Target’s security team has not revealed if it implemented the measures recommended by Visa. A law enforcement source familiar with the breach, however, said that even if the retailer had implemented the program, it may not have stopped the attack because hackers are getting more sophisticated. According to spokeswoman Molly Snyder, the entry point for the Target attack has been identified and closed. This newly revealed additional set of data involves all types of customer information that Target had collected over time. “Those customers need not have even shopped at Target during the holiday period to have had their information stolen,” reports the Times.
“The theft from Target’s databases is still the second largest data breach on record, rivalling an incident uncovered in 2007 that saw more than 90 million credit card accounts pilfered from TJX Cos. Inc.,” reports Yahoo News. Target said affected consumers will have “zero liability” for the costs of any fraudulent charges arising from the breach. And they’re trying to contact customers via email with tips on how to safeguard against consumer scams. The retailer is offering a year of free credit monitoring and identity theft protection to customers that shopped at its stores. Customers will have three months to enroll in the program.
Target, the Secret Service, the U.S. Justice Department, and a forensic unit of Verizon Communications Inc. are continuing to investigate the breach.