Off with Their Department Head. Target CIO Resigns — Effective Immediately.

Posted on March 7th, 2014 by Dan Rampe

Target

Did Beth Jacob leave Target as she said in her resignation letter because “this is a good time for a change”? Or was she forced to resign as chief information officer as a result of the massive Target breach? That would have to be your call.

Jacob, who has been Target’s CIO since 2008, joined the company in 1984 starting as an assistant buyer in the Dayton’s department store division. After leaving in 1986 she returned in 2002 as director of guest contact centers. Then in 2006, she became vice president of guest operations and was subsequently named senior vice president and CIO in 2008.

In his Minneapolis/St. Paul Business Journal piece, John Vomhof noted that, “She added the title of executive vice president in 2010.” Vomhof also mentioned that Jacob was one of the Minneapolis/St. Paul Business Journal’s 2012 CIO of the Year honorees.

And Jacob is not the only senior executive leaving. Target’s current vice president of assurance risk and compliance is retiring at the end of the month – though it’s reported that he’d planned to retire.

Chairman, President and CEO Gregg Steinhafel said Target planned to overhaul its information-security team and would be conducting an external search for an interim CIO. Steinhafel explained, “To ensure that Target is well positioned following the data breach we suffered last year, we are undertaking an overhaul of our information-security and compliance structure and practices at Target.”

Steinhafel said the company would be elevating the chief information security officer position and would be working with the D.C.-based Promontory Financial Group to help Target “evaluate [its] technology, structure, processes and talent.”.

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

 

 

Scared Off Target Shoppers Slash Q4 Profit Almost in Half

Posted on March 4th, 2014 by Dan Rampe

Target

As a result of the infamous breach where 40 million credit and debit card accounts were compromised and 70 million customers had their names, phone numbers, email and mailing addresses stolen, Target’s profit dropped 46 percent and revenue 5.3 percent.

According to an AP piece by Anne D’Innocenzio, Target says profits will be affected well into 2014. The Minneapolis-based retailer reported it earned $520 million, or 81 cents per share, for the three months ending Feb. 1. That compares with a profit of $961 million, or $1.47 per share, a year earlier. Revenue fell from $22.7 billion to $21.5 billion.

Target’s $44 million insurance policy helped somewhat ease the $61 million it’s had to shell out in breach expenses so far. Additional expenses could include payments to card networks to cover losses and expenses for reissuing cards, lawsuits, government investigations and enforcement proceedings. Oh, and Target is offering free credit monitoring services for a year to those who had their data compromised. Presumably that’s been paid for already, or will be, depending on how many customers take advantage of the offer.

The breach has caused Target to accelerate its $100 million plan to implement the use of chip-enabled technology by early 2015 in all 1,800 stores.

D’Innocenzio writes, “It isn’t clear when Target will fully recover from the breach, but Avivah Litan, a security analyst at Gartner Inc., puts the costs of the breach at between $400 million and $450 million.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

A Civil War Between the States and Federal Government Over One Law for All Breach Notifications

Posted on February 19th, 2014 by Dan Rampe

Data Breach

Unlike other recent Congressional fights, the dispute over a single federal law on how customers should be notified about breaches looks to be less rancorous and more civil. That’s because privacy concerns cut across party and ideological lines, often uniting staunch conservative Republicans with civil libertarian Democrats.

The renewed interest in a federal breach notification law covering all fifty states comes on the heels of the Target, Neiman Marcus and Michaels breaches. And while the same vitriol that was apparent in other Congressional battles may not be present, there is a lot to be considered, including how a federal law would affect state regulations that are already in force.

In her Reuters piece, tech/cyber policy reporter Alina Selyukh writes:

Although federal laws already regulate how specific industries, such as banks and hospitals, handle compromised data security, certain other kinds of companies, including retailers, face no such uniform standard.

Instead, 46 states and the District of Columbia have passed their own laws that tell companies when and how consumers have to be alerted to data breaches and what qualifies as a breach.

With that, negotiations over fitting state standards under an umbrella federal law face a tug of war between companies, consumer advocates and state authorities.

Large companies working across state lines argue that state laws present a patchwork of regulations and compliance poses a challenge. Companies often issue one nationwide notice to consumers with state-specific supplements at the end. “Certainly, one standard is easier to follow than 47,” John Mulligan, Target’s chief financial officer, told lawmakers…. The No. 3 U.S. retailer has stores in every U.S. state except Vermont.

The National Retail Federation in a January letter to Congress also restated its decade-old position in favor of a nationwide standard that would pre-empt state rules. “A preemptive federal breach notification law would allow retailers to focus their resources on complying with one single law and enable consumers to know their rights regardless of where they live.”.

Some state attorney generals worry above all that federal standards would dilute their power to pursue violators….

“There are 47 state standards, there’s no reason to add a 48th,” said [Representative Lee] Terry, the most prominent Republican leading a legislative effort at this point.

Consumer advocates say that the companies’ call for a single law masks the goal of having a weaker federal standard that would trump stricter laws on the books in states like California and Massachusetts.

“None of the federal proposals are as strong as the strongest state laws and that’s wrong,” said Edmund Mierzwinski, consumer program director at U.S. Public Interest Research Group. “I don’t think we need (a federal law) that’s weaker than California’s.”

California was the first state to adopt a data breach law in 2003. After a decade of fine-tuning, it requires a detailed disclosure to consumers “in the most expedient time possible and without unreasonable delay” when personal information, including emails with passwords, is “reasonably believed” to have been stolen.

Though many state requirements are broadly similar, some states, such as Montana and Ohio, require notification only if a breach poses or is believed to pose harm or material risk such as identity theft.

Many states also use more limited definitions of what personal information is included. A common definition includes name combined with the Social Security number, driver’s license number or payment card number together with information needed to access financial records.

Alabama, Kentucky, New Mexico and South Dakota do not have their own data breach notification laws.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

ThreatMetrix Third Annual Cybercrime Prevention Summit Keynote Speaker, Brian Krebs, Subject of New York Times Interview

Posted on February 18th, 2014 by Dan Rampe

Brian Krebs

Being the interviewee instead of the interviewer might be a new experience for security reporter extraordinaire, Brian Krebs, whose krebsonsecurity.com has broken huge news stories including the breaches at Target, Adobe and Neiman Marcus.

Now, in case you didn’t happen to catch it, The New York Times’ Nicole Perlroth did a fascinating piece on Krebs who, as it turns out, is a fascinating man. But beyond fascinating, Krebs is a very brave man who steadfastly refuses to be intimidated by some very bad men in his search to root out the truth.

Following is  interview, which has only been slightly modified to fit our format:

In the last year, Eastern European cybercriminals have stolen Brian Krebs’s identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner.

“I can’t imagine what my neighbors think of me,” he said dryly.

Mr. Krebs, 41, tries to write pieces that cannot be found elsewhere. His widely read cybersecurity blog, Krebs on Security, covers a particularly dark corner of the Internet: profit-seeking cybercriminals, many based in Eastern Europe, who make billions off pharmaceutical sales, malware, spam, frauds and heists like the recent ones that Mr. Krebs was first to uncover at Adobe, Target and Neiman Marcus.

He covers this niche with much the same tenacity of his subjects, earning him their respect and occasional ire.

Mr. Krebs — a former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side — is so entrenched in the digital underground that he is on a first-name basis with some of Russia’s major cybercriminals. Many call him regularly, leak him documents about their rivals, and try to bribe and threaten him to keep their names and dealings off his blog.

Uncovering Hacks

Brian Krebs has made a habit of exposing breaches on his widely read cybersecurity blog.

May 2010

Begins reporting on an escalating tussle between two major Russian cybercriminals that ultimately led to one of them being sentenced to two and half years in a Russian penal colony.

July 2010

First reports on the computer worm that is later called Stuxnet, which wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay Tehran’s ability to make its first nuclear arms.

March 2012

Uncovers a breach at Global Payments, which helps Visa and MasterCard process transactions for merchants. It acts as the plumbing from merchants to banks.

March 2013

Exposes a Russian website that sells information that can be used for identity theft. On the site, driver’s license records cost $4 each, Mr. Krebs says. He says that the exposure later prompts hackers to attack his website.

December 2013

Uncovers that Target is the victim of a sophisticated cyberattack that exposes payment information for up to 110 million customers. The attackers are able to enter Target’s systems through the company’s heating and cooling software.

January 2014

Exposing a wider breach of retail stores, reports that Neiman Marcus and Michaels, the arts and crafts retailer, are also victims of cyberattacks on their in-store cash register systems.

His clean-cut looks and plain-speaking demeanor seem more appropriate for a real-estate broker than a man who spends most of his waking hours studying the Internet’s underbelly. But few have done more to shed light on the digital underground than Mr. Krebs.

His obsession with hackers kicked in when he was just another victim. In 2001, a computer worm — a malicious software program that can spread quickly — locked him out of his home computer. “It felt like someone had broken into my home,” Mr. Krebs recalled in an interview. He started looking into it. And he kept looking, learning about spam, computer worms and the underground industry behind it.

Eventually, his anger and curiosity turned into a full-time beat at The Post and then on his own blog.

“I realized that if security breaks down, the technology breaks down,” Mr. Krebs said.

Today, he maintains extensive files on criminal syndicates and their tools. Some security experts readily acknowledge that he knows more about Russia’s digital underground than they do.

“I would put him up against the best threat intelligence analyst,” said Rodney Joffe, senior vice president at…an Internet infrastructure firm. “Many of us in the industry go to him to help us understand what the Eastern European criminals are doing, how they work with each other and who is doing what to whom.”

That proved the case in December when Mr. Krebs uncovered what could be the biggest known Internet credit-card heist. That month, he had been poking around private, underground forums where criminals were bragging about a fresh haul of credit and debit cards.

Soon after, one of Mr. Krebs’s banking sources called to report a high number of fraudulent purchases and asked whether Mr. Krebs could pinpoint where they were coming from. The source said that he had bought a large batch of stolen cards from an underground site and that they all appeared to have been used at Target.

Mr. Krebs checked with a source at a second bank that had also been dealing with a spike in fraud. Together, they visited one forum and bought a batch of stolen cards. Again, the cards appeared to have one thing in common: They had been used at Target from late November to mid-December.

On the morning of Dec. 18, Mr. Krebs called Target. The company’s spokeswoman did not return his call until several hours later, but by then he had enough to run his article: Criminals had breached the registers in Target’s stores and had made off with tens of millions of payment card numbers.

In the following weeks, Mr. Krebs discovered breaches at Neiman Marcus; Michaels, the arts and crafts retailer; and White Lodging, which manages franchises for major hotel chains like Hilton, Marriott and Starwood Hotels.

It is still unclear whether the attacks were related, but at least 10 other retailers may have been hit by the same hackers that hit Target and are reluctant to acknowledge it.

That is where Mr. Krebs comes in. Unlike physical crime — a bank robbery, for example, quickly becomes public — online thefts are hushed up by companies that worry the disclosure will inflict more damage than the theft, allowing hackers to raid multiple companies before consumers hear about it.

“There’s a lot going on in this industry that impedes the flow of information,” Mr. Krebs said. “And there’s a lot of money to be made in having intelligence and information about what’s going on in the underworld. It’s big business but most people don’t want to pay for it, which explains why they come to someone like me.”

Mr. Krebs is “doing the security industry an enormous favor by disseminating real-time threat information,” said Barmak Meftah, chief executive of AlienVault, a threat-detection service. “We are only as strong as our information. Unless we are very specific and effective about exchanging threat data when one of us gets breached, we will always be a step behind the attackers.”

The tally of victims from the breaches at Target, Neiman Marcus and others now exceeds one-third of the United States population — a grim factoid that may offer Mr. Krebs a strange sense of career vindication.

He first developed an interest in computers because his father, an Air Force engineer, was obsessed with the latest devices. But he did little about it until 1998, when he began writing about technology for The Post, after working his way up from the mailroom. Cybersecurity became a bit of a focus after his own computer was infected by that worm in 2001. “I learned there’s this whole underworld that seemed really fascinating,” he said.

In 2005, he started The Post’s Security Fix blog, occasionally frustrating editors with hacker jargon and unnerving some who worried he was becoming too close to sources.

“A lot of what Brian does would scare the hell out of traditional newsroom editors,” said Russ Walker, Mr. Krebs’s former editor at The Post. “I don’t think he crossed the lines journalistically, but he was living a different type of experience.”

By 2006, Mr. Krebs was a fixture in hacker forums, learning code, and — ever the dutiful reporter — borrowing Russian language tapes from his local library since most of what he tracks originates in the former Soviet Union and its satellite states. (He acknowledges having used his technical prowess at one point to peek inside The Post’s payroll system to see how much colleagues were making, something he now strongly advises against.)

In 2009, The Post asked Mr. Krebs to broaden his focus to general technology news and policy. When he declined, he was let go.

He used his severance to start his own blog, Krebs on Security, from his “command center,” a guest room at the Annandale, Va., home he shares with his wife. There, three 19-inch computer screens help him keep tabs on the underworld, while another monitors security footage of his house.

Mr. Krebs’s readership is growing. In December, 850,000 readers visited his blog, mostly to learn more about the breach at Target. Though he will not disclose figures, Mr. Krebs says the salary he now makes from advertising, occasional speaking engagements and consulting work is a “nice bump” from what he earned at The Post.

But there are risks implicit to being a one-man operation. “The work that he’s done exposing Eastern European hackers has been seminal,” said Tom Kellermann, vice president for cybersecurity at…a computer security company. “But Brian needs a bodyguard.”

Russian criminals routinely feed Mr. Krebs information about their rivals that they obtained through hacks. After one such episode, he began receiving daily calls from a major Russian cybercriminal seeking his files back. Mr. Krebs is writing a book about the ordeal, called “Spam Nation,” to be published by Sourcebooks this year.

In the meantime, hackers have been competing in a dangerous game of one-upmanship to see who can pull the worst prank on Mr. Krebs. They often steal his identity. One opened a $20,000 credit line in his name. Admirers have made more than $1,000 in bogus PayPal donations to his blog using hacked accounts. Others have paid his cable bill for three years with stolen credit cards.

The antics can be dangerous. In March, as Mr. Krebs was preparing to have his mother over for dinner, he opened his front door to find a police SWAT team pointing semiautomatic guns in his direction. Only after his wife returned home from the grocery store to find him handcuffed did the police realize Mr. Krebs had been the victim of “swatting.” Someone had called the police and falsely reported a murder at their home.

Four months after that, someone sent packets of heroin to Mr. Krebs’s home, then spoofed a call from his neighbor to the police. But Mr. Krebs had already been tipped off to the prank. He was tracking the fraud in a private forum — where a criminal had posted the shipment’s tracking number — and had alerted the local police and the F.B.I.

Mr. Joffe worries Mr. Krebs’s enemies could do far worse. “I don’t understand why he hasn’t moved to a new, undisclosed address,” he said.

Mr. Krebs said he did plan to move and keep his new address secret. But these days it is almost impossible.

Though he goes to great lengths to protect his personal information, last month his wife received an email from Target informing her that their mailing address and other personal information had been stolen in the breach.

“I got that letter,” he said, “and I just had to laugh.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Getting Personal. What the Target Breach Meant to One Lady Who Needed Cat Food.

Posted on February 10th, 2014 by Dan Rampe

Target

Forty million is a number that’s difficult to wrap your brain around. However, the story of one woman in the small California town of Martinez narrowly missing becoming a Target breach victim brings things home as possibly nothing else can.

Here’s the story as told on martinezgazette.com:

The breach of Target’s payment systems reached home last week as attempted fraud was reported by downtown resident Harriett Burt.

Burt said she received a call on the morning of Dec. 27 from a number her caller ID displayed as “private.”

“I nearly never answer those, but something made me go ahead and see what it was,” Burt said. “It also had, in the lower left corner (of the caller ID display) a bell with a line through it, and I’d never seen this before.”

The caller identified himself as being from an investigative division with Visa, and said the division showed a recent charge on Burt’s card of approximately $200, with the purchase being sent to Las Vegas. He asked if Burt lived in Las Vegas, and said he would investigate and call her back promptly.

But the call raised a red flag with Burt, who asked why the caller’s number was displayed as private on her caller ID. The caller said the division’s numbers often did not display because of the nature of their investigative work, and that he would proffer an 800 number when he called her back.

A few minutes later, the same caller rang back and gave Burt an 800 number. She instead decided to call her Visa company directly, and discovered the number the mysterious caller provided was not a number associated with Visa.

“These folks have thousands, millions of numbers, and they know in a situation like this all they really have to do is ID someone who’s been to Target,” Burt relayed from her conversation with Visa.

It’s likely Burt’s credit card number was one of 40 million hackers were able to retrieve using malicious software that infiltrated the store’s payment systems beginning Nov. 29. The only cards affected were those used for in-store purchases, which Burt says she made to buy cat food.

Hackers stole customer names, credit and debit card numbers, expiration dates, card security codes and PIN numbers, according to Target. Other customer information was not compromised, the company said, and Target is cooperating with federal authorities, including the Secret Service and Department of Justice, but is withholding additional details about the hack at the request of law enforcement.

In the meantime, anyone receiving calls from people purporting to be from credit card companies or other banking institutions is encouraged not to forfeit any information, but to hang up and call their credit and banking institutions directly. Target customers are also encouraged to check their statements carefully, especially for small purchases that may indicate fraudulent persons verifying if accounts are still active. Customers should request replacement cards, and even while new cards on the way, Target recommended PIN numbers be immediately changed.

Unfortunately for some who failed to act as intuitively as Burt, there have been instances of cash withdrawals and purchases made using PIN numbers – charges that can be difficult, and sometimes impossible, to reverse. Lawsuits are continuing to pile up over the Target hack as thousands of customers continue to be victimized by debit card fraud.

Burt said she was lucky in that she’d recently applied for a new card, and her credit line will be transferred to it. She’s since alerted Martinez Police of the call.

However, while away from home for a few hours after the initial fraudulent call, Burt said she received a muffled voicemail message from the same person who’d called that morning, again offering an 800 number. “So the fraud continues,” Burt said.

Fortunately for her, she used caution and acted correctly.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.