Vulnerability Management

Why the Target Breach Might Be Even Bigger: Big Data Means Big Breach

So, now Target has updated that the scope of the data breach as being much bigger than the original 40 million credit cards and now includes information on more than 70 million customers including address, email, phone numbers.

But this latest announcement has my spider senses tingling. The way the breach has been announced to date, with each update increasing the scope of the breach makes me uncomfortable. In the announcement they state:

At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals

Target does not just collect information like your address because they want to send you a Christmas card. Target is an innovator in predictive analytics, they have what is internally called Guest ID. This identifier is used to track data on purchases made, if you used a credit card, coupons, filled out a survey, called customer support, if you have opened an email from them and other activities.

This Guest ID is linked to your credit card number, email address, or name:

Target Guest ID Data Collection

In the announcement Target states:

Data is partial in nature, but in cases where Target has an email address, the Company will attempt to contact affected guests

Further according to the Wall Street Journal Target said:

There was some overlap between the two sets of stolen data, but Target didn’t say how extensive it was.

So it would seem that as there is some overlap with regards to credit card information mapped to some users and only some users having email addresses. It would seem logical that it could possibly be the Guest ID data that was compromised. I really hope I am wrong.

Target’s chief statistician Andrew Pole discussed the Guest ID program in New York Times back in 2012:

“If you use a credit card or a coupon, or fill out a survey, or mail in a refund, or call the customer help line, or open an e-mail we’ve sent you or visit our Web site, we’ll record it and link it to your Guest ID. We want to know everything we can.”

The Guest ID can be linked to demographic data such as  age, marital status, if you have kids, estimated salary and what credit cards you carry. This data can be further mapped to other data they can buy about you including ethnicity, job history and the magazines you read.

Target made media waves a few years back when it was discovered that Target figured out a teen girl was pregnant before her father did. Imagine hackers launching a spear-phishing campaign with the same level of accuracy.

Security and privacy are two sides of the same coin, the more you encroach on privacy by storing this type of data, the higher the risk business have in securing it. Big data can mean big risk and a big breach.

That Target’s breach has now expanded beyond the credit card terminals themselves and includes data on other systems, I believe it is highly likely that other information may have been compromised including the Guest ID data.


Previous post

Neiman Marcus Credit Card Data Breached

Next post

How Target's Point-of-Sale System May Have Been Hacked

Ken Westin

Ken Westin

Your Pundit of Paranoia