Smaller breaches on at least three other well-known U.S. retailers
took place and were conducted using similar techniques as the one on
Target, according to the people familiar with the attacks. Those
breaches have yet to come to light. Also, similar breaches may have
occurred earlier last year.
The sources said that they involved retailers with outlets in malls,
but declined to elaborate. They also said that while they suspect
the perpetrators may be the same as those who launched the Target
attack, they cannot be sure because they are still trying to find
the culprits behind all of the security breaches.
Law enforcement sources have said they suspect the ring leaders are
from Eastern Europe, which is where most big cyber crime cases have
been hatched over the past decade.
Only one well-known retailer, Neiman Marcus, has said that they too
have been victim of a cyber attack since Target's December 19
disclosure that some 40 million payment card numbers had been stolen
in a cyber attack. On Friday, Target said the data breach was worse
than initially thought.
An investigation found that hackers stole the personal information
of at least 70 million customers, including names, mailing
addresses, telephone numbers and email addresses. Neiman Marcus said
it was not sure if the breach was related to the Target incident.
Most states have laws that require companies to contact customers
when certain personal information is compromised. In many cases the
task of notification falls on the credit card issuer.
Merchants are required to report breaches of personal information
including social security numbers. It was not immediately clear if
that was the case with the retailers who were attacked around the
same time as Target.
The Secret Service and Department of Justice, which are
investigating the Target breach, declined to comment on Saturday.
Target has not disclosed how the attackers managed to breach its
network or siphon off some of its most sensitive data.
The sources who spoke to Reuters about the breaches said that
investigators believe the attackers used similar techniques and
pieces of malicious software to steal data from Target and other
One of the pieces of malware they used was something known as a RAM
scraper, or memory-parsing software, which enables cyber criminals
to grab encrypted data by capturing it when it travels through the
live memory of a computer, where it appears in plain text, the
While the technology has been around for many years, its use has
increased in recent years as retailers have improved their security,
making it more difficult for hackers to obtain credit card data
using other approaches.
Visa Inc issued two alerts last year about a surge in cyber attacks
on retailers that specifically warned about the threat from memory
The alerts, published in April and August, provided retailers with
technical details on how the attacks were launched and advice on
A Visa spokeswoman declined comment on the reports, which did not
identify specific victims.
It was not clear whether Target's security team had implemented the
measures that Visa had recommended to mitigate the risks of being
Yet a law enforcement source familiar with the breach said that even
if the retailer had implemented those steps, the efforts may not
have succeeded in stopping the attack.
That is because the attackers were more sophisticated than the ones
in the previous attacks described in the Visa alerts, according to
the source. The source asked not to be identified because they were
not authorized to discuss the matter publicly.
[to top of second column]
Retailers are often reluctant to report breaches out of concern it
could hurt their businesses. Target only acknowledged its 2013
attack after security blogger Brian Krebs reported the breach,
prompting inquiries from journalists and investors.
Neiman Marcus said an outside forensics firm discovered evidence on
January 1 that indicated the retailer had been the victim of a cyber
attack. It disclosed the breach nine days later, after another
inquiry from Krebs, who was following up on reports about a surge in
fraudulent charges traced to the retailer.
Target and J.C. Penney Co Inc. waited more than two years to admit
that they were victims in 2007 of notorious hacker Albert Gonzalez,
who was accused of masterminding the theft and reselling of millions
of credit cards and ATM numbers.
During his trial the companies were represented by lawyers who did
not identify their clients as Target and J.C Penney.
Doug Johnson, vice president of risk management policy with the
American Bankers Association, said banks and credit card firms like
Visa are forbidden from naming merchants that have been breached,
unless they disclose it themselves.
"It is really frustrating to the bank and also the customer,"
One of the sources who told Reuters about the recent rash of attacks
said the memory parsing malware cited in the Visa reports was among
the tools that the hackers had used, but said they used other
techniques as well.
Target spokeswoman Molly Snyder said the retailer is not commenting
on the company's investigation of the breach.
"This continues to be an active and ongoing investigation. It would
be inappropriate to discuss details at this point."
Avivah Litan, a security analyst for Stamford, Connecticut -based
Gartner information technology research firm, said she learned about
a separate set of breaches, dating back no more than a few months
before the November 28 Thanksgiving Day start of the holiday
shopping season, from a forensics investigator. She declined to
provide his name.
"Target was not the only retailer who got hit, but they got hit the
biggest," Litan said.
Investigators believe that the early series of attacks on retailers
staged before late November were mostly used as trial attacks to
help the hackers perfect new techniques they then used against
Target, stealing payment cards at unprecedented speed, Litan said.
Chris Gray, director of Denver, Colorado -based Accuvant information
security firm's risk and compliance practice, said that
sophisticated cyber crime groups do that because they only have once
chance to get it right before victims catch on.
"You want to test it and make sure it works," Gray said. "Then you
push it out at the appropriate time and do as much damage as you
(Reporting by Jim Finkle in Boston and
Mark Hosenball in Washington; editing by Grant McCool)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.