The emerging story of the conspiracy to steal customer records from Target reads like something out of a modern suspense novel - or maybe the latest creepy revelation about the National Security Agency or the CIA.
In this case, however, the cyber whizzes apparently belong to an organized criminal conspiracy.
The numbers are staggering, and so are the implications for retailers and their customers.
In December, major retailer Target's customer database was hacked by cyber thieves who stole 40 million credit card records, including PIN numbers, and personal data on 70 million customers.
On hearing the news, shoppers stayed away from Target stores in large numbers, resulting in sales losses that may eventually amount to more than $400 million.
In its most recent quarterly report, McAfee Labs, a cyber-security firm, said the attack on Target represented a "coming-of-age" of an organized cyber crime service industry that sells tools to hackers and runs a "dark web" where stolen data is sold.
The new cyber crime underground market provided the Target thieves with custom-made malware and a means of quickly selling the stolen credit card data. The costs of mounting this raid were apparently quite modest.
A run-of-the-mill version of the malware used by the hackers could be purchased for $2,000, according to The Wall Street Journal.
In the case of the Target raid, criminal software engineers customized the malicious software to fit unobtrusively into Target's "point-of-sale" database and extract sensitive customer data. Target recently said a single stolen employee identity card gave the hackers access to their system.
Target was also the victim of a 2007 data breach, so it should have been better prepared. Shockingly, the recent Target attack, said cyber expert Mike Fey, McAfee's chief technology officer, "was defendable by technology that has been around. It didn't require a new silver bullet."
Target's chief information tech officer resigned last week.
Target was not the only recent victim of the new cyber underground. Neiman-Marcus reported in January that its computers had been hacked, but provided little detail.
And Reuters reports that at least three other well-known retailers have been hacked in recent months by methods similar to the ones used to penetrate Target's security.
The message should be getting across to the retail industry that more must be done to protect customer credit card and other data.
"A lot of retailers assumed that if they don't have a standard point-of-sale system, they were somehow safe," Mr. Fey said. "And I think Target showed them that's not the case." In the worst way.
The attack, he says, should be a "wake-up call" for other retailers who think their computer systems are safe.
It ought to be a wake-up call for consumers as well.
Cash payments, anyone?
Notice about comments: