The malware behind data breaches at Target and Neiman Marcus during
the holiday shopping season came from a 17-year-old Russian national,
according to published reports over the weekend.
MarketWatch, a financial news and commentary website, and the websites of the New York Daily News and The Washington Post said Intelcrawler,
a California-based Internet security firm, identified the creator of
the malicious software. His name has not yet been published.
Intelcrawler blog post late Friday said the teenager, who is from St.
Petersburg, wrote the programming code that enabled personal
information, including credit card data, emails and home addresses to be
obtained from millions of shoppers at Target and Neiman Marcus in late
He allegedly sold the malware, dubbed BlackPOS,
according to the published reports, to cybercriminals in eastern Europe,
who have not been identified. Intelcrawler CEO Andrew Komarov said the
software enabled the identity thieves to remotely hack into the
retailers' electronic cash registers and obtain the personal information
Komarov also said that the malware has been
downloaded some 60 times, according to the published reports, raising
the possibility that other retailers besides Target and Neiman Marcus
were hacked in recent weeks or might be at risk of being hacked in the
Target, the nation's second-largest retailer, has apologized for the
security breach, which it said affected up to 110 million shoppers.
Neiman Marcus has not said how many customers were affected by its
breach, though several security analysts have said they believe it was
at least 1 million shoppers.
State and federal officials,
including the Secret Service, have launched an extensive investigation
into the Target and Neiman Marcus breaches.