Following Target and Sony attacks Obama calls for 30-day mandatory reporting
Malware installed in PoS cash registers is behind the Target data breach. Reuters

Target has told customers in an open letter that it is investing $5m in a multi-year phishing scam education programme, and will provide all customers with free Experian credit monitoring and identity theft protection for one year.

The under-fire American retailer discovered a major security breach in December 2013, when payment data from about 40 million credit and debit cards was stolen from Christmas shoppers at its stores over 19 days between 27 November and 15 December.

It has since been revealed that a further 70 million customer records with sensitive information such as names, telephone numbers and email addresses were also stolen.

Target has confirmed that cybercriminals used malware that had been installed on Target's point-of-sale (PoS) cash register systems to siphon off the data.

Dangers of consumer scams

In an open letter published in several US newspapers, Target's CEO Gregg Steinhafel has apologised for the data breach and vowed to cover all fraudulent charges arising from the breach.

"In the days ahead, Target will announce a coalition to help educate the public on the dangers of consumer scams. We will also accelerate the conversation – among customers, retailers, the financial community, regulators and others – on adopting newer, more secure technologies that protect consumers," wrote Steinhafel.

"I know this breach has had a real impact on you, creating a great deal of confusion and frustration. I share those feelings. You expect more from us and deserve better."

Customers will also have free access to Experian's ProtectMyID credit monitoring and identity theft protection product, and are invited to sign up to receive the activation code at creditmonitoring.target.com by 23 April, with a deadline to redeem all codes by 30 April 2014.

Unnamed sources interviewed by Reuters claim that the malicious software used was a PoS RAM scraper, a piece of malware written in multiple programming languages that can steal payment data from the memory of the cash register's computer system.

Concerns about PoS data encryption

The malware was first identified by security researchers in 2008, and according to data released by Sophos in July 2013, 56% of the PoS systems infected by RAM scrapper malware in the world are located in the US, followed by 16% in Germany, 8% in Canada and 8% in the UK.

The PoS systems most commonly targeted are found in the retail, food services, healthcare and tourism industries, where the PC-based systems often do not have as high a level of security as PCs in enterprises.

Security firm Sophos has raised the concern that although all PoS terminals are encrypted using the payment card industry's PCI-DSS security standards, the data is not encrypted all the time.

"RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the PoS register, albeit briefly. This happens as the data is transferred from the PoS terminal to the PoS register," writes Sophos researcher Paul Ducklin on the Naked Security blog.

"Of course, PoS registers usually run some version of Windows, and are connected together on an enterprise-wide network. So a RAM scraping botnet can be used to look out for credit-card-like data popping up in memory on an infected computer. The bot then grabs the data before payment processing has even taken place, and squirrels it out into the hands of the botmasters."