Weekly News Roundup: December 20, 2013

This week’s major news highlight was the card data breach at Target, one of the largest U.S. retailers. The company is reporting at least 40 million cards were stolen, and all of the stores 1,800 locations were impacted in some way. Some of the highlighted stories this week included the following:

Krebs on Security – Sources: Target Investigating Data Breach – The story that started it all. Renown security blogger Brian Krebs first broke the Target story this week after speaking with sources close to the situation.

American Banker – Target Data Breach Has Become a Card Data Fire Sale: Krebs – As Target confirmed the breach of at least 40 million card details, Krebs reports that the hackers that infiltrated Target’s POS system are now working feverishly to offload the card numbers before they’re canceled or expired. Krebs calls the situation a ‘fire sale’, and notes that the freshest card details are going for about $44 each on the cyber black market. He also mentions that if the hackers found a vulnerability in Target’s POS system that lets them move through the system, there’s a good chance other retailers have a similar setup and could be hit the same way.

CSO – Target: The breach that should’ve never happened – A strong article that makes the case that Target couldn’t have been PCI-compliant at the time of the breach if it was storing CVV numbers. The article also speculates on some of the attack vectors the hackers could have used to gain access.

Gartner Blog – What We Can Learn From The Target Breach – Noted security analyst Avivah Litan offers her take on the lessons we can already learn at this early stage from the Target breach, and writes that no matter the outcome, the picture isn’t rosy for Target, despite its supposed PCI-compliant status. She also offers some speculation on the attack vector used by the hackers, possibly through an insider or by attacking the switching system for payment authorization and settlement.