Target breach – 40 Million Card Numbers can’t all come from POS machines….
Aaron Titus, Chief Privacy Officer at Identity Finder provided commentary on the breach reported on Dec 18th.
“Although skimmers (physical devices that steal track data from point-of-sale machines in stores) can collect track data, it is extremely unlikely that hackers could have installed skimmers in Target stores across the country. At this point it seems most likely that Target’s centralized card processing network was compromised with some sort of malware that stole track data, much like the 2009 Heartland Payment Systems breach.”
“Organizations that strictly follow PCI-DSS 2.0, and PCI-DSS 3.0 should be able to prevent most of these sorts of breaches, so I imagine Target has already begun the process of locking down, analyzing and securing their systems,” Identity Finder’s Titus said. “The first step to PCI-DSS 2.0 and 3.0 compliance is data sensitive data management through discovery and classification, which can help a company identify broken business processes and technology shortcomings.”
Additional expert commentary:
– Experts suggest its an inside job and not merely skimming POS devices at stores
– Experts suggest that better controls and processes would limit the risk and prevent a massive breach of this size
Identity Finder’s Sensitive Data Manager is a critical element to evaluate these controls, or refine these processes as Sensitive Data Manager is incredibly accurate and effective in discovering and classifying credit card data stored on the internal network