Massive data breach: Target’s Windows-based PoS terminals were infected with malware

“The CEO of retailer Target revealed Saturday in an interview that the company’s point-of-sale (PoS) systems were infected with malware, confirming what security experts suspected since the massive data breach was announced in mid-December,” Lucian Constantin reports for PCWorld. “Answering a question about what caused the breach during an interview for CNBC, Target CEO Gregg Steinhafel said: ‘We don’t know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we’ve established.'”

“Target originally said that approximately 40 million credit and debit card accounts may have been impacted by the breach. The company announced Friday that information like names, email addresses, mailing addresses and phone numbers of an additional 70 million people has also been stolen,” Constantin reports. “PoS systems are actually computers with peripherals like card readers and keypads attached to them. Many of these systems run a version of Windows Embedded as the OS as well as special cash register software. Target said that the credit and debit card information was stolen from its systems between Nov. 27 and Dec. 15.

“Visa issued two security alerts last year, in April and August, warning merchants of attacks using memory-parsing PoS malware,” Constantin reports. “‘Since January 2013, Visa has seen an increase in network intrusions involving retail merchants,’ Visa said in its August advisory. ‘Once inside the merchant’s network, the hacker will install memory parser malware on the Windows based cash register system in each lane or on the Back-of-the-House (BOH) servers to extract full magnetic stripe data in random access memory (RAM).'”

Read more in the full article here.

MacDailyNews Take: Windows Embedded? Those terminals were PoS, indeed.

Microsoft Windows. The gift that keeps on giving.

Apple Retail Stores unaffected.

[Thanks to MacDailyNews Reader “Lynn Weiler” for the heads up.]

Related articles:
Target debacle: Retailer now says 70 million people hit in massive data breach – January 10, 2014
NY Apple thefts eyed in Target’s nationwide credit breach – December 20, 2013
Target hit by massive credit-card breach – December 19, 2013

Yahoo on malware from ads: Macintosh unaffected – January 6, 2014
The Microsoft Tax: Malicious worm on Skype lets hackers hold Windows PCs for ransom; Macintosh unaffected – October 10, 2012
The Microsoft Tax: Critical Windows flaw affects millions of high-value PCs with self-replicating attacks – March 13, 2012
The Microsoft Tax: Virus infects Windows PC control systems of US Predator and Reaper drones – October 8, 2011
The Microsoft Tax: ‘Indestructible’ botnet attacks millions of Windows PCs; Macintosh unaffected – July 1, 2011
The Microsoft tax: Stuxnet computer worm infects Microsoft’s porous Windows OS; Mac unaffected – September 27, 2010
The Microsoft Tax: New undetectable Windows trojan empties bank accounts worldwide; Mac unaffected – August 11, 2010
The Microsoft Tax: Windows zero-day flaw exposes users to code execution attack; Mac unaffected – August 09, 2010
The Microsoft Tax: Critical flaw lets hackers take remote control of Windows PCs; Mac unaffected – August 07, 2010
The Microsoft Tax: New attack bypasses every Windows XP security product tested; Mac unaffected – May 11, 2010
The Microsoft Tax: McAfee correctly identifies Windows as malware; Macintosh unaffected – April 21, 2010
The Microsoft Tax: DNS Windows PC Trojan poses as iPhone unlock utility; Mac and iPhone unaffected – April 15, 2010
The Microsoft Tax: 1-in-10 Windows PCs still vulnerable to Conficker worm; Macintosh unaffected – April 08, 2010
The Microsoft Tax: 74,000 Windows PCs in 2,500 companies attacked globally; Mac users unaffected – February 18, 2010
The Microsoft Tax: Widespread attacks exploit Internet Explorer flaw; Macintosh unaffected – January 22, 2010
The Microsoft Tax: Windows 7 zero-day flaw enables attackers to cripple PCs; Macintosh unaffected – November 16, 2009
The Microsoft Tax: Windows 7 flaw allows attackers to remotely crash PCs; Macintosh unaffected – November 12, 2009
The Microsoft Tax: Windows virus delivers child porn to PCs, users go to jail; Mac users unaffected – November 09, 2009
The Microsoft Tax: Worms infest Windows PCs worldwide; Mac users unaffected – November 02, 2009
The Microsoft Tax: Banking Trojan horse steals money from Windows sufferers; Mac users unaffected – September 30, 2009
The Microsoft Tax: Serious Windows security flaw lets hackers to take over PCs; Macintosh unaffected – July 07, 2009
The Microsoft Tax: Windows Conficker worm hits hospital devices; Macintosh unaffected – April 29, 2009
The Microsoft Tax: Conficker virus begins to attack Windows PCs; Macintosh unaffected – April 27, 2009
The Microsoft Tax: Conficker’s estimated economic cost: $9.1 billion – April 24, 2009


      1. Yes, I was luck y not to have installed the POS for the Target Stores when we did the upgrade/replacements for the computers this past Summer. Target was beginning to move to iPad Kiosks in the Portland/Vancouver area. Perhaps they can migrate more quickly to an iPad solution for Sales?

        We all know what POS really stands for. BTW a few years ago a Canadian firm had been selling Macs for Cash Register environments –

  1. I am not aware that Apple even has a point of sale solution. Ok, a PoS solution that runs on cash registers found in ordinary retail establishments (and I’m not talking about the iPad/iPod touch PoS here).

    The next question is how much of the security breach is attributable to a magnetic plastic strip on the back on the card that holds all the user information instead of the more modern microchip and PIN system used in Europe and elsewhere in the world. I’m sure Europe and the rest of the world use the same MS PoS solution so much though I’d like to blame MS, and it still may be to blame here, if the underlying security of the card is like Swiss cheese, no amount of PoS improvements is going to make the problem go away.

    1. “I am not aware that Apple even has a point of sale solution. Ok, a PoS solution that runs on cash registers found in ordinary retail establishments (and I’m not talking about the iPad/iPod touch PoS here).”

      What the heck kind of qualification is that? Why not just say you’re unaware of any PoS system by Apple that requires electricity? I’m seeing PoS systems all over the place with iPads, iPods, and iPhones along with Macs.

      You’re right that this would’ve been avoided if there was a modern microchip instead of unencrypted strip data, but it also would’ve been avoided if the Windows PCs had not been infected (along with other failures by Target).

      1. Most retailers and I’m talking about major retailers, not your mom & pop stores, run Microsoft Server at the back-end to collect, collate and analyse sales data, and pump sales data to management to look at the performance of individual stores. Not to mention that most of the IT infrastructure is run on an MS platform. Mac OS X Server? That’s a joke itself.

        So the integration of an MS PoS to the MS back-end is seamless and requires less IT effort than running a Mac PoS and an MS back-end. I have yet to see a large retailer (not Apple Stores) get behind a Mac PoS system.

        1. Fair enough if you’re talking about established PoS in major retail operations, but your original comment made it sound non-existent rather than “not yet mainstream”. iOS and OS X PoS is exploding on the retail scene. As far as large implementations, Apple retail doesn’t count I guess /s, but there’s Nordstrom, Home Depot, Old Navy… just off the top of my head. As far as small retail businesses, they’re quickly becoming the standard.

    2. BLN: Assuming you’re attempting to be serious, the magnetic stripe credit card has NOTHING to do with this issue and is only a red herring tossed at the public in order to divert BLAME away from all the retail companies who are directly to blame for OUTRAGEOUS security ignorance and lack of scrutiny.

      I wrote about this subject in exhaustive detail HERE.

  2. If this happened to an Apple device Apple would be condemned front and centre by the Press like WSJ, NYT, CNBC etc. Apple would be the headliner not Target (like: “Apple computers cause massive data leak ” “Congress investigates Apple for Security Issues concerning Data Leak ” )

    As it’s (another) PC problem the MAIN STREAM press would hardly mention Msft Windows connection and certainly it would not be the main part of the story.

    When the Deepwater Horizon Oil Rig blew up and poured those thousands of gallons of crude into the ocean one of the main culprits (again) was Windows computers:

    Computerworld 2010 :

    “Computerworld – A computer that monitored drilling operations on the Deepwater Horizon had been freezing with a “blue screen of death” prior to the explosion that sank the oil rig last April, the chief electronics technician aboard testified Friday at a federal hearing… “Williams said that a computer control system in the drill shack would still record high gas levels or a fire, but it would not trigger warning sirens, ”

    None of the hundreds of main stream press reports ever highlighted PCs role in this. No warnings (that I know off) from dozens of government bodies involved in the investigation/cleanup etc ever made a statement saying PCs were dangerous crap. I guess as most press agencies, government bodies use PCs nobody wants to rock the boat.

    ( Imagine if it was an Apple system on DeepWater Horizon, those who follow the Foxconn silliness know what I’m talking about… )

    1. In the first place, there are no Mac OS X compatible apps to monitor oil well pressure. Good luck putting a Mac in the drilling rig. It’ll only let you listen to iTunes Radio and play Candy Crush on your iPhone.

      In the second place, the blowout was caused by inferior grade sealing cement used to seal the exploratory well before replacing the drilling pipe with a production pipe.

            1. Maybe the geologic modelling department might run UNIX on the mainframe but the SCADA (supervisory control and data acquisition) system runs on Windows. He was specifically referring to the wellhead oil pressure monitoring system. That will run on Windows at the front end, not UNIX.

      1. you’re missing the point.

        My point is that the press has double standards.
        I’m not saying Apple has oil rig software but IF apple had helped cause the disaster the press would have BLOWN IT UP IN BIG HEADLINES (“APPLE CAUSES ECO DISASTER” “GREENPEACE PICKETS APPLE HQ OVER DEEPWATER HORIZON” ETC ) but because it’s not apple the don’t really care. Even if others are involved with apple in something it’s always apple singled out for condemnation by the press: Re NYT and foxconn. The know their stories get attention when they bash apple.


    2. “As it’s (another) PC problem the MAIN STREAM press would hardly mention Msft Windows connection and certainly it would not be the main part of the story.”

      That’s because the News prints what’s new.
      This isn’t new . . . or news. (and that’s the real story)

      1. “This isn’t new . . . or news.”

        computerworld report I quoted was from 2010

        I’m saying AT THAT TIME when the press wall over the issue with the investigations etc Msft was not really dragged into it.

        And I’m not saying that “apple had a better oil rig solution’
        you guys are missing the point which is IF apple had an oil rig solution and a mac caused the problem the press would have BLOWN the APPLE NAME all over PUTTING THE FOCUS TO BASH APPLE but because it’s not, like it’s a PC it’s buried somewhere and only reported in the TECH press in detail.

        the press has double standard when it comes to Apple. When it talks Foxconn it’s always apple yet Msft, Dell, HP, sony, Nintendo etc all use foxconn. Once when people threatened suicide on top the Foxconn building making Xboxes (because the Xbox line was closing) it’s reported in the Press photos I saw as “Workers at Apple Supplier Factory threaten Suicide” (I know they were misusing it as the TECH press explaining the Xbox issue had the same photo).

        1. “the press has double standard when it comes to Apple”

          (sharp intake of breath, cell phone clatters to floor, blood drains from face, imprecations rise to lips, innocence shattered)

  3. If THAT was the cause, there is NO WAY Target was the only “target” for this malware. It’s probably on MANY Windows-based PoS systems of smaller retailers and businesses, even right now, all over the place.

    Check your credit card bills diligently (whether you shopped at Target or not), every month. I recently found an unknown charge on my credit card. It was a small amount, so I may not have noticed it if I was not checking line by line. It was not related to the Target mess, because I have not recently used that card for local purchases (only online payments). The charge was easily reversed, but I had to get that card replaced with a new one (with a brand new number).

    1. I guess I am lucky in that my credit card company monitors my card usage very closely. Once each of the last two years they called immediately upon noticing very small charges ($0.18 or so) to obscure companies–usually porn sites they said. Apparently the card number had been stolen and was being tested for validity. In both cases they immediately reversed the charge, cancelled the card, and issued a new one.

  4. Apple is constantly losing huge amounts of market share to Android smartphones and selling a few million more low-cost iPhones in India sure isn’t going to make much of a difference to Apple’s revenue stream. There’s nothing Apple can do to bring back that lost market share that Wall Street demands by selling an 8 GB iPhone. Google’s combined free Chrome OS and free Android OS strategy is just better for market share than any strategy Apple can possibly come up with. So if Apple decides to sell a cheaper iPhone in India they must be doing it because they see some long-term benefit from offering iPhone services.

    Apple needs to develop a long-term low-cost iPhone strategy where Apple helps to finance those smartphones to consumers in emerging nations. I still don’t think it’s going to have any immediate effect by showing gained market share, though. It’ll just slow the loss of market share by tiny amounts. Unless something goes very wrong with Android’s ecosystem, Google as a company will continue to grow wealthier and stronger. Almost no consumers or companies can resist the lure of free Android. Google’s free Android OS bait is proving irresistible and it appears Windows OS is likely to be pushed aside for the most part.

    1. Let’s get real. India is a two class society. The wages in India are a joke. These people have to work ridiculous hours just for a roof and food. Cheap is what moves there, for the most part, it’s all they can afford. Like MDN likes to say, they’re a Hee Haw demographic. Except in this case, a Hee Haw demographic on steroids.

    2. And Porche needs to develop a low cost car to try to sell to emerging nations to increase their sales also. Laughable laughing idiot. Market share isn’t everything. Quality and performance is. Take another hit on that Laughing Gas tube.

  5. While it’s not a PoS system, I still run an accounts receivable program tailored exactly to my business that runs on . . . . . (drumroll) . . . . . . . DOS.

    It’s not connected to the internet. It’s about as few lines of code as possible. And while it has some inflexibilities, it is what it is and works extremely reliably.

    In my humble opinion as a Mac user since my teenage years in the early/mid 1990s is that to a great degree full fledged PCs with all of their inherent vulnerabilities are used too much. In situations such as PoS, it seems to me it would be much better to have devices specifically designed for a limited task.

    1. Nothing wrong with that, at all. In my travels I witness many ingenious small business solutions that survive time and fashion quite effectively. What seems remarkable to me is that the long reach of Microsoft and other enterprise-centric corporations has not penetrated into the nervous systems of people, as it has into the vital fluids of large companies.

      We have computers but many of us do not need what the OS vendors constantly are trying to sell us. Microsoft may have declared XP EOL but that will not change anything for millions of folks, those not under the thrall of IT drones, who will soldier on with the systems they have paid for and perfected for their unique business purposes. Does any reasonable person believe that come April 2014, a mass exodus from XP will occur just because Microsoft ominously withdraws support? I don’t think so. I would draw your attention to another panicky setup that came to nothing: Y2K.

  6. Windoze is such a pathetic piece of security Swiss cheese. I am forced to use an HP laptop for work. Security patches, virus and malware protection that require reboots usually number in the high teens are forced on me on a monthly basis and will continue until Windoze 7 goes end-of-life. Why Microsoft? I hate this bloody POS.

    1. Microsoft is trapped by it’s own legacy advantage, and disadvantage. They fear writing another OS from the ground up and lose all compatibility (unless they do their own intermediate Rosetta type emulation) with all of the thousands of Windows apps. Suddenly they would be on equal ground with every other UNIX type OS out there. But still it’s a process they should have started long ago. Now they are caught with their pants down (as I predicted they would be many years ago), not unusual because that’s the way Ballmer T. Clown apparently liked it. I mean like why worry right? They won the OS wars right…? Right….? D’Oh!

  7. Target does not use the correct wording on their fast checkout sign. It reads “10 item or less”. D’oh, it should read “10 items or fewer”.

    Yes Virginia, there is a major difference between less and fewer. On their sign using Fewer would be correct, using Less is not close to being correct.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.