The Target hack: How did they do it?

To view this site, you need to have Flash Player 9.0.115 or later installed. Click here to get the latest Flash player.

December 19, 2013, 7:27 pm
Print Article

(NECN: Peter Howe, Westborough, Mass.) - Massachusetts Attorney General Martha Coakley and other law-enforcement officials were scrambling for details Thursday on how data thieves apparently got access to as many as 40 million credit and debit cards used by shoppers at U.S. Target stores between Nov. 27 and Dec. 15.

"We have contacted Target to review the circumstances and will be working with attorneys general across the country to determine whether the company had proper safeguards in place to protect consumer information," Coakley said.

Target is giving no details other than to say this involved people who shopped at brick-and-mortar stores between the Wednesday before Thanksgiving and last Sunday. No one shopping at or retail stores in Canada or abroad, Target said, was affected. The company is urging consumers who used a charge card inside one of its stores during this time period to monitor their account statements for fraudulent charges.

Left unexplained: Where between point-of-sale card-swipe terminals and back-office data centers was the data – cardholders’ names, account numbers, expiration dates, and card security codes – was the information stolen? Are other retailers vulnerable to a similar hack? Is it a problem with the network security of Target’s telecommunications and Internet service provider? From which country did the data theft emanate? Was it an inside job involving rogue Target workers?

John Moynihan, president and managing director of Minuteman Governance, a Hopkinton, Mass., data security firm, said the scope of the data theft and the fact it went 18 days, apparently, without being shut down shows it was "extremely sophisticated."

Based on the limited information Target is providing, Moynihan said assuming it’s not a work of internal company data theft, the most likely scenario is savvy hackers got someone inside Target to open an e-mail containing a "malware" virus that was designed to spread to a huge number of card-swipe readers or somehow grab all the information contained in the magnetic stripe of a credit or debit card – or got a flash-drive memory device into the hands of someone who works for Target, who plugged it into a computer on Target’s network and spread the malicious program.

"I did get a little alarmed when I heard about this, thinking about the extent of the information that they could get and what they could go be purchasing," said Lisa Graham of Northborough, coming in for one of her regular weekly or semiweekly shopping trips to the Target on Route 9 at the Westborough-Northborough line. She realized her husband had come in to shop on Black Friday at the same store, two days after the data breach reportedly began. But she said she had checked with Target about her company cards and her husband’s Discover card, "and everything was OK. We’re not really concerned."

In New York Stock Exchange trading Thursday, Target shares fell $1.40, or 2.2 percent – a drop that suggests many investors were inclined to dump the stock until they have clearer answers about what happened, but not such a deep selloff it indicates widespread doubt Target can solve the problem and regain customers’ confidence.

With videographer Dan Smith

Tags: massachusetts, Martha Coakley, Peter Howe, Target, Westborough, data theft, Target data breach
It was a busy day for the the hometown team
Tests performed earlier this week confirm positive mosquito pool in Roslindale
Police in Portsmouth, New Hampshire are seeking the public's help in identifying three suspects who burglarized a local surf shop earlier this month