A 17-Year-Old Was Behind the Target, Neiman Marcus Credit Card Hacks

The Citizen's Guide to the Future
Jan. 20 2014 1:30 PM

A 17-Year-Old Was Behind the Target, Neiman Marcus Credit Card Hacks

us_navy_080918n0659h001_a_naval_support_activity_midsouth_sailor_takes_a_moment_to_decide_which_credit_card_to_use
Hackers stole credit card information from customers at Target, Neiman Marcus, and a number of other large retail chains and the companies did not reveal the hacks until months later.

Photo from Wikimedia Commons.

According to a report released Friday by the cyber intelligence group IntelCrawler, a 17-year-old Russian man, username "ree4," appears to have been the author of the point-of-sale malware used for hacks at Target, Neiman Marcus, and six other large U.S. retailers, maybe more. 

Lily Hay Newman Lily Hay Newman

Lily Hay Newman is lead blogger for Future Tense.

IntelCrawler says that ree4 sold his "BlackPOS" malware to more than 60 Eastern European cybercriminals, plus some in other regions. He is based in St. Petersburg and is well-known in forums and the wider hacking community. The IntelCrawler report notes that he wrote other popular malicious tools, "such as 'Ree4 mail brute', ... social networks accounts hacking and DDoS attacks trainings." IntelCrawler's president, Dan Clements, told PCWorld that the group is "90 percent" sure about its conclusions.

But ree4 doesn't seem to have personally taken part in the Target or Neiman Marcus hacks beyond writing and selling the malware. When contacted by the Washington Post, Target declined to comment on the IntelCrawler report. A Neiman Marcus spokeswoman specifically addressed one part, which said that hackers were able to plant the BlackPOS malware because the credit card terminals at the retailers they targeted had default passwords that were guessable and therefore weak. The Neiman Marcus spokeswoman said that she hadn't heard anything about weak passwords from those with direct knowledge of Neiman Marcus' network. Though the Target and Neiman Marcus hacks originally appeared to have been launched at the same time by the same people, it is less clear now whether they were related through more than BlackPOS. In fact it seems increasingly likely that they were not.

Advertisement

The report quoted IntelCrawler's CEO, Andrew Komarov, as saying that more BlackPOS hacks, largely of department stores, are going to come to light soon. This agrees with an article Reuters published on Jan. 12, citing anonymous sources who said they knew of at least three other breaches.

As if all of this wasn't enough, though, the New York Times reported Thursday that Neiman Marcus was hacked in July, didn't discover the problem until mid-December, and wasn't able to get the situation under control until last week. The company says that customers' Social Security numbers and dates of birth do not seem to have been stolen. And Neiman Marcus does not collect customer PIN numbers.

But controversy is brewing about whether the company should have disclosed the hack when it first discovered it in December. It seems that Neiman Marcus admitted the breach when it did only because journalist Brian Krebs discovered the situation and posted about it on his blog. And with so many reports that other companies have been hacked but have not yet come forward, it seems to be time for a discussion about security breach disclosures for retailers.

Regulations in 46 states mandate disclosure when hackers steal customer information in a cyber attack. But different states have different requirements for how long retailers can delay giving notice if there is an ongoing investigation into the hack. There is also state-to-state variation in how much information the retailers have to release about the incident.

Joseph DeMarco, the former head of the cyber crime unit at the U.S. attorney's office in Manhattan, told Newsday, "It's a judgment call. A breach investigation could take weeks or months before you know enough to have a legal obligation to disclose." But consumer advocates are calling for regulation revisions and federal intervention. In summary, this enormous situation seems pretty out of control at the moment.

Future Tense is a partnership of Slate, New America, and Arizona State University.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Lily Hay Newman is lead blogger for Future Tense.

TODAY IN SLATE

Doublex

Crying Rape

False rape accusations exist, and they are a serious problem.

Scotland Is Just the Beginning. Expect More Political Earthquakes in Europe.

I Bought the Huge iPhone. I’m Already Thinking of Returning It.

The Music Industry Is Ignoring Some of the Best Black Women Singing R&B

How Will You Carry Around Your Huge New iPhone? Apple Pants!

Medical Examiner

The Most Terrifying Thing About Ebola 

The disease threatens humanity by preying on humanity.

Television

The Other Huxtable Effect

Thirty years ago, The Cosby Show gave us one of TV’s great feminists.

Lifetime Didn’t Find the Steubenville Rape Case Dramatic Enough. So They Added a Little Self-Immolation.

No, New York Times, Shonda Rhimes Is Not an “Angry Black Woman” 

Brow Beat
Sept. 19 2014 1:39 PM Shonda Rhimes Is Not an “Angry Black Woman,” New York Times. Neither Are Her Characters.
Behold
Sept. 19 2014 1:11 PM An Up-Close Look at the U.S.–Mexico Border
  News & Politics
Politics
Sept. 19 2014 6:22 PM Blacks Don’t Have a Corporal Punishment Problem Americans do. But when blacks exhibit the same behaviors as others, it becomes part of a greater black pathology. 
  Business
Moneybox
Sept. 19 2014 6:35 PM Pabst Blue Ribbon is Being Sold to the Russians, Was So Over Anyway
  Life
Inside Higher Ed
Sept. 19 2014 1:34 PM Empty Seats, Fewer Donors? College football isn’t attracting the audience it used to.
  Double X
The XX Factor
Sept. 19 2014 4:58 PM Steubenville Gets the Lifetime Treatment (And a Cheerleader Erupts Into Flames)
  Slate Plus
Slate Picks
Sept. 19 2014 12:00 PM What Happened at Slate This Week? The Slatest editor tells us to read well-informed skepticism, media criticism, and more.
  Arts
Brow Beat
Sept. 19 2014 4:48 PM You Should Be Listening to Sbtrkt
  Technology
Future Tense
Sept. 19 2014 6:31 PM The One Big Problem With the Enormous New iPhone
  Health & Science
Medical Examiner
Sept. 19 2014 5:09 PM Did America Get Fat by Drinking Diet Soda?   A high-profile study points the finger at artificial sweeteners.
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.