By Michael Riley
WASHINGTON — Hacking attacks like those that siphoned credit-card data from Target and Neiman Marcus are probably part of an unprecedented assault on a larger number of retailers, according to a security company working with the government.
The assaults on retailers may involve multiple groups of hackers who appear to be working from a sophisticated piece of software code that began circulating on underground websites last June, iSIGHT Partners, a Dallas, Texas-based security company that tracks cyber criminals, said in a report.
The report doesn't say whether the software, dubbed Kaptoxa, was used in the theft of as many as 40 million customer credit and debit card accounts from Target. A person briefed on the investigation, who asked not to be identified because the matter is confidential, said Kaptoxa is the same software that infected Target. Molly Snyder, a spokeswoman for Target, declined to comment.
"We haven't seen the last of this," said iSIGHT Chief Executive Officer John Watters in an interview. "Now it's a race to the bank with the criminals rushing to hijack the data and convert it into criminal gain before the door to profitability is closed."
The iSIGHT report said the scale and sophistication of the campaign against retailers' point of sale systems — the terminals on which customers swipe credit and debit cards — may be the largest ever seen, escaping elaborate industry efforts to secure a system that processes more than $3.3 trillion in U.S. transactions annually.
Target, the second-largest U.S. discount chain, has said the theft of customer data may have affected anyone who provided it basic information over the past several years. In December, the company said credit- and debit-card data for as many as 40 million people who shopped in its stores between Nov. 27 and Dec. 15 may have been compromised. Earlier this month, the company said the thieves also got access to the names, phone numbers and home and e-mail addresses of as many 70 million people.
Target hasn't disclosed details about how its point of sale system was breached.
Neiman Marcus said earlier this month some unauthorized purchases may have been made with customer cards, without disclosing the scope of the breach. Credit-card processors alerted the Dallas-based luxury chain to the incursion in mid- December and the company is working with federal authorities and investigating the matter, according to a statement.
Neiman Marcus and Target are being investigated by Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan over the theft of customer credit-card data.
Within a week of Target's disclosure about the breach, it was facing almost two dozen lawsuits filed by customers. It has also been sued by Putnam, Conn.-based Putnam Bank over claims the security breakdown cost it money because it forced the bank to issue customer alerts and new cards while reimbursing account-holders for their own losses.
The two breaches complicate matters for retailers already struggling to attract shoppers and cutting forecasts after engaging in a margin-eating price war.
Other states involved in the Target probe include Florida, Iowa, Massachusetts and Pennsylvania, spokespersons for those states' attorneys general have said.
David Robertson, publisher of The Nilson Report, an industry newsletter, estimated that the value of Visa, MasterCard, American Express and Discover card payments topped $4 trillion in 2013, up more than 8 percent from 2012. He projected that the value will top $5 trillion by 2015.
When the Kaptoxa malware was first analyzed by federal investigators in December, it hadn't been detected by any of the more than two-dozen anti-virus systems that are meant to protect computers from infection, the iSIGHT report said.
A non-public report issued by the Department of Homeland Security and written with iSIGHT's help will be shared with retailers and industry associations, according to DHS spokesman S.Y. Lee. That report outlines technical details of the malware and other aspects of the attack, according to iSIGHT.
According to the iSIGHT analysis, the software infects POS terminals, sends out the stolen information, then covers its tracks by automatically deleting those files.
The difficulty of detecting and tracing the attacks is what makes them so dangerous and has allowed hackers to breach multiple retailers over the last several months, according to the report.
The malicious software, named for a Russian word that appears several times in the code, was sold in black-market web forums starting last summer and was customized by hackers to fit specific victims, making attacks more effective, iSIGHT's Watters said.
The attacks show how cybercriminals are outpacing the ability of companies to respond, Watters said.
— With assistance from Cotten Timberlake in Washington and Renee Dudley in New York.