It was, in essence, a cybercriminal’s dream.
For months, an amorphous group of Eastern European hackers had been poking around the networks of major American retailers, searching for loose portals that would take them deep into corporate systems.
In early November, before the holiday shopping season began, the hackers found what they had been looking for — a wide path into Target and beyond.
Entering through a digital gateway, the criminals discovered that Target’s systems were astonishingly open — lacking the virtual walls and motion detectors found in secure networks like many banks’. Without those safeguards, the thieves moved swiftly into the company’s computer servers containing Target’s customer data and to the crown jewel: the in-store systems where consumers swipe their credit and debit cards and enter their PINs.
For weeks, the invasion went undetected; the malware installed by hackers escaped whatever antivirus protections Target had. Shoppers flooded Target stores over Thanksgiving weekend and into the following weeks of holiday deals, unwittingly sending millions of bits of their data into the corners of cyberspace controlled by a band of sophisticated thieves.
Target had no clue until the Secret Service alerted the company about two weeks before Christmas. Investigators who had been tracking these criminals overseas and monitoring suspicious credit activity spotted in December one common thread: charges and payments made at Target.
At least one major bank noticed a similar pattern. On Dec. 12, JPMorgan Chase alerted some credit card companies that fraudulent charges were showing up on cards used at Target, people involved in the conversation said.
An examination by The New York Times into the enormous data theft, including interviews with people knowledgeable about the investigation, cybersecurity and credit experts and consumers shows that Target’s system was particularly vulnerable to attack. It was remarkably open, experts say, which enabled hackers to wander from system to system, scooping up batches of information.
Investigators have been piecing together the timetable of the attack and continue to monitor the potential for additional fraud, especially since experts say that batches of stolen credit card data have yet to be dumped on the black market. The theft involved confidential credit and debit card data of as many as 40 million Target customers, and personal information, such as phone numbers and addresses, of as many as 70 million more.
With Secret Service agents in Minneapolis investigating the extent of the fraud, Javelin Strategy & Research, a consulting firm, estimates the total damage to banks and retailers could exceed $18 billion. Consumers could be liable for more than $4 billion in uncovered losses and other costs. Investigators also say they believe that the invasive hack at Target was part of a broader campaign aimed at least half a dozen major retailers. So far, one other retailer, Neiman Marcus, has said that its system was breached at the in-store level, not through online shopping, and people with knowledge of the investigations have been reluctant to discuss whether the two are related.
Investigators have seen some malicious software similar to that installed at Target in recent years, but they described the design of this malware on point-of-sale systems as particularly wily. The coding was written in a way that was adaptive and persistent.
Grabbing Data
Once installed, the hackers’ malware snatched customers’ data — directly off the card’s magnetic strips of credit and debit cards — that is normally sent for processing to banks and credit card companies. The stolen data was then lifted and stored on an infected server inside Target, awaiting an order from the criminals. The coding was easily manipulated so that it could receive instructions from its handlers in real-time, changing at their command.
Four miles from Target’s headquarters in Minneapolis and more than a week before the public learned of the data breach, Patrycia Miller looked at the bill for the American Express account she and her husband used in their dog day care business.
The usual charges appeared, including some from Target, where they shop a couple of times a week. But a few stood out — a membership fee to Match.com and a $1,291.58 plane ticket on South African Airways from Lagos, Nigeria, to Johannesburg and Nairobi, Kenya.
She asked her husband what he was up to.
Puzzled, Mr. Miller assured her he had not signed up for an online dating service and had not booked an African flight — “Not for that price,” he said.
American Express swiftly credited their account and issued new cards.
But it wasn’t until Target confirmed the breach on Dec. 19 that the Millers learned what had happened.
Gregg Steinhafel, Target’s chief executive, declined to be interviewed for this article, and requests for interviews with other company officials involved in the theft investigation were denied. On Friday evening, Mr. Steinhafel released a statement, saying: “When the breach was confirmed, I was devastated. I resolved in that moment to get to the bottom of it, and my top priority since then has been our guests. We’ve worked for 51 years to build a real relationship with them, and I am determined to do whatever it takes to secure their trust.”
Mr. Steinhafel said in an interview with CNBC earlier this week that he first learned of the data break-in when he received a phone call at home on Dec. 15, a Sunday morning, as he was drinking coffee with his wife. Secret Service and Justice Department officials had already met with Target employees a few days earlier to notify them of their suspicions.
By then, credit and debit cards were showing up on the black market, and shoppers like the Millers were seeing unauthorized charges on their bills.
It was not the first time criminals had managed to get inside a store’s point-of-sale systems at their registers. Nearly a decade ago, Albert Gonzalez, one of the most prolific cybercriminals in American history, was stealing credit card data from T. J. Maxx and Marshalls clothing chains in much the same way.
But recently, criminals’ techniques have evolved. At the Federal Bureau of Investigation, a former official said there had been instances where criminals had managed to physically implant malicious code into point-of-sale systems on the factory floor. In most cases, however, criminals installed the malware remotely after breaking into an organization through other means.
This time, the code the criminals instructed Target’s registers to send customer data back to the infected Target server once every hour, on the hour, and to cover its own tracks. After siphoning the data back to the infected server, the malicious code immediately deleted the file where it had been stored, so there was no memory of it, according to iSight Partners, a security firm currently working with the Secret Service to investigate the attacks.
The malware, known as a memory scraper, has been coined “Kaptoxa” after a word in its code — Kaptoxa is Russian slang for “potato” and is often used by underground criminals to refer to credit cards. Its developers ensured the code would evade regular antivirus products — even a month after Target’s breach was made public most antivirus products still fail to catch it. To avoid setting off any alarms, the criminals waited six days after moving the data from the infected server to a web server that was itself infected with malware, and from there to a server in Russia that served as a proxy to mask the criminals’ true whereabouts, according to Aviv Raff, the chief technology officer at Seculert, a security company headquartered in Israel that has been investigating the malware used on Target’s systems.
Within two weeks, criminals had taken 11 gigabytes worth of Target’s customer data: less than the amount of memory on Apple’s iPad Mini, but enough to contain 40 million payment card records, encrypted PINs and 70 million records containing Target customers’ information.
Shortly after, company executives flocked to headquarters and onto conference call lines to begin coordinating the response.
