The holiday season data breach at Target that hit more than 70 million consumers was part of a wide and highly skilled international hacking campaign that's "almost certainly" based in Russia. That's according to a report prepared for federal and private investigators by Dallas-based cybersecurity firm iSight Partners.
And the fraudsters are so skilled that sources say at least a handful of other retailers have been compromised.
"The intrusion operators displayed innovation and a high degree of skill," the iSight report says.
The report doesn't say specifically how Target's network was breached but says that a virus was injected into the retail giant's credit card swiping machines, and that malware allowed hackers to collect data from the magnetic stripes on payment cards. The problem for the security companies hired to protect retailers is, according to iSight, that the malware the bad guys are using can't be detected by anti-virus software.
Who are these guys? Well, it's all part of an underground market that's been running for years — Planet Money featured this dark credit card underworld in 2011 — and the hackers writing data-stealing code are getting more sophisticated than ever.
"There's already a lot of breaches related to the Target breach that aren't being disclosed," says Avivah Litan, a retail industry analyst for Gartner. "The chances that we'll see another big breach like this are probably 80 percent."
Investigators believe people from Russian-speaking countries are involved because some of the programming code used against Target was partly written in Russian, according to The Wall Street Journal. "Both details suggest the attack may have ties to organized crime in the former Soviet Union," the Journal said, citing former U.S. officials.
Litan says the hackers are "very smart. They have great training in mathematics and computer science over in Eastern Europe. These young kids don't have any work to do, there's not a lot of employment opportunities, they don't see this as really harming people directly, it's just harming the capitalist system. And they're great programmers, so why should they stop? They're getting away with it."
Private companies, the U.S. Department of Homeland Security and the Secret Service are investigating the latest breaches. But the broad and sophisticated hacking campaign leaves industry in a tough spot. Visa has said it plans to move to the more secure chip-and-PIN payment system — and away from magnetic stripes — for credit and debit cards by 2015. But that requires a lot of infrastructure change at stores, which are running on the familiar machines that are so vulnerable.
In the meantime, the steady drip of information about security breaches continues. Early Friday afternoon, Reuters reported that the malware that infected Target is involved in "at least six ongoing attacks at merchants across the United States." On Thursday, Neiman Marcus CEO Karen Katz apologized to customers affected by a data breach at its stores in December.