Expert: One vulnerability is all it takes to compromise consumer data

Expert: One vulnerability is all it takes to compromise consumer data »Play Video
Ken Westin, a security researcher with Portland-based software company, Tripwire, draws a diagram (re-created in the below graphic) for On Your Side Investigator Anna Canzano to show how a breach like this occurs.

PORTLAND, Ore. -- How does Target and 40 million of its customers fall victim to a massive data breach? A security expert I talked with tells me that all it takes is one vulnerability in the company's system.

It only takes one employee opening the wrong email or going to the wrong website and hackers can find their way in. It puts millions of us at risk.

Ken Westin, a security researcher with Portland-based software company, Tripwire, says, "With this breach right now, Target and their IT department I'm sure is scrambling because they don't know where the breach occurred, they don't know what systems are compromised, they don't know what on their network they can trust."

He explains that on a given day, customers shopping at Target swipe their credit cards, debit cards or Target REDcards at the cashier. Those account numbers go to an acquisition hub, then a processing center. Both the acquisition hub and processor may be third party companies Target hires to handle these transactions.

Somewhere along the way, the hackers use that weakness point in the system, infect it, and siphon away customers' credit and debit account numbers to their hacker server for use at a later time. The legitimate transactions continue going to Target's acquisition and processing hubs, but the information also goes to the hackers' servers. That's why, he says, Target can go days or in this case weeks without knowing anything is wrong.

Westin says what makes customers in the United States particularly vulnerable is the type of credit and debits cards we use -- magnetic strip technology from the 1960s. Most of the rest of the world he says uses cards that have a computer chip and PIN method, which substantially mitigates vulnerabilities and make an attack like this much harder for hackers.

A Target spokeswoman said Thursday afternoon "There is no indication PIN numbers were exposed in this security failure."

And most shoppers we talked with at the Downtown Portland Target store didn't seem too phased by the data breach. Many assumed if their identity is stolen, their bank or credit company would cover their losses.

But Westin cautions against a casual attitude toward this matter, given everything that remains unknown about how it happened, and how -- ultimately, the cash in your checking account that may also be at risk.

"The fact they got the security code and the card number there's a good chance they captured the PIN number that people were entering in. We're not sure yet, we haven't been told by Target or the card processors the scale of this breach," he said.

Given the scope of this breach, Westin wouldn't be surprised if more large national stores come forward in the next few weeks and months with similar issues.


Information about Target's data breach:

Target phone number to call if you suspect your cards have been compromised : 866-852-8680.

Target's press release

Target's statement to its customers

Check Your credit, Get Your Free Credit Report:

www.AnnualCreditReport.com

Or Call: (877) 322-8228

Nationwide credit reporting agencies:

Equifax
(800) 525-6285
P.O. Box 740241
Atlanta, GA 30374-0241
www.equifax.com

Experian
(888) 397-3742
P.O. Box 9532
Allen, TX 75013
www.experian.com

TransUnion
(800) 680-7289
Fraud Victim Assistance Division
P.O. Box 6790
Fullerton, CA 92834-6790
www.transunion.com