The massive holiday season data breach that took tens of millions of Target shoppers by storm and led to the compromising of private debit and credit card information was perpetrated by a teen in Russia, security firm experts said.
The teen, age 17, is also believed to have hacked Neiman Marcus, CNN reported.
Security firm IntelCrawler said the breach — which gave access to 70-plus million credit and debit card numbers and personal information at the swiping machines in Target — came by way of a malware infection to the retail giant’s system. And the malware quite possibly could have compromised numerous other retailers, the firm warned. Neiman Marcus reported a similar compromise just a couple weeks ago.
The malware is an “off-the-shelf” product called BlackPOS, security officials told CNN. Investigators think it was created by a 17-year-old with ties to St. Petersburg, who then shared it with others.
“Well, we should be worried,” SecureState CEO Ken Staskiak said, in CNN. “One of the things the hackers do is take the malware as it’s called. Once it’s identified, then the security community can rally around it and put controls in place. But the problem is, the hackers know that. And they manipulate or mutate this malware, and then re-use it.”
Investigators think the teen “originated the code, or the malware everybody’s calling it now. And [he or she] was able to put it up on the Internet for download for other hackers to then take, and potentially use it for malicious harm. And that’s what we believe happened to Target and Neiman Marcus.”
The results could be even more devastating that initially thought.
Andres Komarov, the CEO of IntelCrawler, said more BlackPOS malware infections could soon come to light — and retailers should be on guard.