Target data breach: 'It's like they've stormed the castle'

Target data breach: 'It's like they've stormed the castle' »Play Video

PORTLAND, Ore. -- Tripwire security researcher Ken Westin diagrammed for me Friday the newest revelation about Target's security breach.

Instead of just information being stolen between Target stores and the servers that process credit and debit card purchases, the retailer is saying hackers infiltrated the Target network and stole customer email addresses, home addresses and phone numbers.

The number of affected customers has jumped to 70 million, up from 40 million when Target first announced the breach in December. And the company which had previously said only customers who shopped inside stores between Nov. 27 and Dec. 15 were at risk, now says online shopper data was compromised as well.

Westin explained how something like this happens and how once a hacker is "able to get in there, he basically has access to the full network. So if you think of this like a perimeter, like a castle?" he says about the circle on his whiteboard, "they've basically stormed the castle. Now they're inside."  
Once inside, Westin says Target employees are at risk as well. For example, hackers may have broken into Target's human resources server that stores the Social Security numbers of employees or people who applied for jobs with the company.
He likens the situation to a virus during flu season.
"You get the flu, you get stuffy nose, and the next thing you know it's all over your entire body? It's the same thing here. It's going to take them a while to get better," Westin said.
And he warns that breaches like this are bound to occur roughly once a month for the next year and a half, until the United States changes to the more sophisticated credits cards that contain a computer chip and make large-scale breaches like this more difficult.
Target is admitting its holiday sales were down after the breach was announced. It's closing eight stores nationwide. It is offering customers one year of free credit monitoring and identity theft protection but won't have details on that until next week.
Westin said the most aggressive way for people to protect themselves if they shopped at Targets online or in stores using credit or debit cards is to call their bank or credit company and get a card re-issued. It may be a hassle relinking accounts that you may have connected to that account number, like gym memberships or cable bills, but he says it's highly worth the peace of mind in the weeks and months to come.