Target, Neiman Marcus and More: This Isn't the Last Data Breach
Possibly using a new method called RAM scraping, hackers reportedly breached the customer databases of three more U.S. retailers during the 2013 Christmas shopping season, Reuters reported.
Those breaches would be in addition to the previously reported data breaches that hit Target and Neiman Marcus retail stores.
The public may never learn which other retailers were affected, the number of customers whose data was compromised or whether even more companies are involved.
Given the time frame of these five attacks, unnamed sources who spoke to Reuters suspect that all the incidents may be linked. The sources claimed that similar attack methods were used in Target and at least some of the other attacks.
One technique reportedly used in the attacks is called RAM scraping, which involves malware that captures customer data as it passes unencrypted through a computer's random access memory, or RAM.
Although most U.S. states have laws requiring companies to inform customers of possible abuse to their personal information "without unreasonable delay," some companies have been known to keep that information quiet.
The Target and Neiman Marcus stories came to light because security blogger Brian Krebs, who broke both stories, was tipped off about investigations at both companies by his contacts in the financial industry.
Some of the data stolen from Neiman Marcus and Target consisted of credit- and debit-card information stored on cards' magnetic stripes, implying that only cards used in brick-and-mortar retail stores were affected. Target has stated that no credit cards used on its retail website were affected.
The compromised credit and debit cards used at Target stores total more than 40 million. Neiman Marcus, which admitted its own credit-card breach on Friday (Jan. 10), has not disclosed the number of cards affected.
Earlier on Friday, Target admitted that criminals had also stolen personal information on 70 million individuals, consisting of customer names, mailing addresses, phone numbers and email addresses, but no credit-card or other financial information. Although there's probably some overlap between the two sets of data, the breach may have affected up to an estimated 110 million customers.
It has yet to be confirmed whether RAM scraping was, indeed, the technique used in these five data breaches, but it seems possible; data stored in RAM is unencrypted, meaning the information on it can be read in plain text. The data is also deleted as soon as a computer is turned off, with the result that the data is sometimes less protected because it is seen as less vulnerable.
In light of these breaches, some experts including the National Retail Federation have also suggested that U.S. credit-card issuers should quickly switch to a newer, more secure card format called "chip-and-PIN," or EMV.
Already in use widely through Europe, chip-and-PIN cards store customer data on an embedded computer chip instead of on a magnetic stripe, and require users to input a PIN each time they wish to make a purchase.
American Express, Discover, MasterCard and Visa plan to force U.S. retailers to accept chip-and-PIN cards by October 2015.
However, without more information about the attacks, it is not known whether chip-and-PIN cards could have prevented the Target and Neiman Marcus data breaches.
- How to Protect Yourself from Data Breaches
- 13 Security and Privacy Tips for the Truly Paranoid
- 12 More Things You Didn't Know Could Be Hacked