The investigation behind Target’s data breach, which affected 40 million customers and is one of the largest hacking incidents in retail history, just intensified. The U.S. Justice Department has joined the hunt for the perpetrator, which already includes the FBI and the Secret Service, which usually oversees the federal government’s credit card fraud cases.
U.S. Attorney General Eric Holder told the Senate Committee that his office is trying to find the hackers who are responsible for the data breach, as well as anyone using stolen data to commit credit card fraud.
Between Nov. 27 and Dec. 15, credit and debit card numbers from 40 million Target customers were stolen. Then earlier this month, Target said that up to 70 million additional customers also had personal information stolen, including email addresses and phone numbers.
Last week, the FBI warned U.S. retailers to prepare for more data breaches involving the same kind of malware used against Target, which harvests data from point-of-sale systems, including cash registers and credit-card swiping machines.
Target is not the only company affected. Neiman Marcus also said that its data had been breached, with 1.1 million customer cards exposed, and Reuters reports that several other retail chains have also been affected. The FBI said that the malware used, RAM scraping, is becoming increasingly difficult to track down because one variation, Alina, is frequently updated remotely.
TechCrunch’s John Biggs recently wrote a post with more details about the specific form of malware used on Target, which grabs sensitive data from point of sale terminals. Data security expert Brian Krebs found that the version of the software that appeared on Target computers had been designed to hide itself from anti-virus software. He also traced it to a programmer called Antikiller who sold it on hacker forums.
“The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide range of actors,” the FBI wrote in a confidential report that was sent to retail companies.
Target’s data breach has far-reaching implications. In addition to the $3.6 billion fine the corporation is liable for, retail companies now have to deal with eroding customer confidence about how they manage their credit card information.
As TechCrunch’s Rip Empson pointed out, the hacking incidents may be a sign that credit card companies need to start switching from black magnetic strips to encrypted microchips, which are widely used in several parts of the world but have not been widely adopted so far in the U.S..