Authorities are taking a close look at who hacked into Target's customer information database
As computer experts peel back the layers of Target's massive data breach, federal and state law enforcement agencies are running parallel investigations to find the cyber criminals who infiltrated the retailer's computers.
Target reported Friday that the cyber thieves compromised the credit card data and personal information of as many as 110 million customers. That data includes phone numbers, email and home addresses, credit and debit card numbers, PINs, expiration dates and magnetic strip information.
"The Secret Service will confirm that it is investigating this incident," spokesman Brian Leary said. "It is an ongoing investigation and we can provide no further comment."
The U.S. Secret Service leads an Electronic Crimes Task Force that brings together federal, state and local law enforcement, prosecutors, computer experts and academics to detect and trace attacks on the nation's financial and computer networks, including identity theft, credit card fraud and bank fraud.
While police hunt for the cyber criminals, attorneys general nationwide say they will look more closely at whether Target provided enough protection for its customers.
"Consumers in New York and around the country expect and deserve companies that protect their personal information when they shop on their websites and in their stores," New York Attorney General Eric Schneiderman said in a statement.
North Carolina Attorney General Roy Cooper said his state would also join the investigation and is seeking information from Target about how many North Carolina consumers may be exposed. Criminals with contact information can target consumers with telemarketing scams, identity theft and phishing, Cooper said.
North Carolina law requires businesses to notify customers and the attorney general if their personal information is compromised.
"Putting millions of people's personal information at risk is unacceptable," Cooper said. "Companies must do a better job of protecting their customers if they want to earn their business and their trust."
Target has offered free credit monitoring and identity theft protection to its customers.
Federal agents will try to trace the attack back to its origins by analyzing the network to find vulnerabilities and identify artifacts left by the hackers, says Shawn Henry, former FBI executive assistant director and the president of CrowdStrike Services, a security technology company that helps organizations protect sensitive data from network breaches.
"It's not unlike looking for spent shell casings or fingerprints at a crime scene," Henry said. "For law enforcement, this is about identifying who the adversaries are and stopping them."
Cyber thieves can use malware, a computer code that exploits a network vulnerability, to access the network, Henry said. Once on the network, the criminals can move undetected from server to server searching for and collecting the information they want.
"These networks are vast," Henry says. "We've seen adversaries who have been on networks for weeks, months and years. Getting on the network is the easy part."
Donna L. Wilson, a litigation partner at Manatt, Phelps & Phillips in Los Angeles who specializes in consumer protection, data security and privacy, says she repeatedly urges clients to invest in top-notch security.
"I tell clients it is not a matter of is it going to happen. It's when and how many times," Wilson said. "These are literally surprise attacks and the risk absolutely does change every day."
The challenge for companies is trying to predict how a cyber criminal will attack next, she said.
"Oftentimes, with data security, you find yourself planning for the last war and trying to anticipate what's happening in the future," Wilson said.
Computer investigators will examine computer logs and access points to figure out how the cyber thieves breached security and stole the data, but, like most criminals, they would take steps to cover their tracks, says Tony Anscombe, senior security evangelist for AVG Technologies, a Netherlands-based company that produces computer protection and privacy software.
"Cyber criminals have gotten very clever in that way," Anscombe says. Cyber criminals "can employ very good people to look for back doors, vulnerabilities. It's an ever changing game."