Target said a massive theft of credit and debit card data from its stores may have impacted up to 40 million accounts. It is one of the largest security breaches ever reported. The discount retailer confirmed on Thursday that it is aware of unauthorized access to payment card data between November 27 and December 15. Target has alerted authorities and financial institutions after it became aware of the breach and is working with a third-party forensics firm to investigate the theft, the company said.
A notice on Target’s website says the theft targeted shoppers who made purchases using credit or debit cards in U.S. stores but not on the company’s website. The stolen information includes the customer names, card numbers, expiration dates and the three-digit security code.
Target has 1,797 domestic locations as well as 124 stores in Canada. “Targets first priority is preserving the trust of our guests and we have moved swiftly to address this issue so guests can shop with confidence. We regret any inconvenience this may cause,” Target chairman and CEO Gregg Steinhafel said in a statement. “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.” The U.S. Secret Service is investigating the incident according to spokesman George Ogilvie.
Visa, the world’s largest payments network said it works with companies when their systems have been compromised to provide card issuers with comprised accounts. Card issuers can then “take steps to protect consumers through fraud monitoring and, if needed, reissuing cards.”
Most major card companies like Visa have zero liability policies that cover fraudulent purchases. Visa also noted that incidences of fraud involving compromised accounts are “actually rare,” and its own fraud rates are near historic lows.
The retail industry has grappled with massive data thefts before. In 2007, T.J. Max and HomeGoods reported that thieves stole card numbers and personal data from as many as 90 million cards. Last July federal prosecutors unveiled criminal charges related to the theft of more than 160 million card numbers from companies like J.C. Penny and JetBlue. One of the latest breaches happened last year at Global Payments which is an Atlanta-based payment processing company and information from up to 1.5 million accounts was stolen.
The data breach at Target was first reported by the Krebs on Security website which is operated by computer security expert Brian Krebs. Alex McGeorge, a senior security researcher at Immunity Inc., said the theft of track data, or the information contained on a credit card’s magnetic strip, is an indication that the hackers compromised Target’s point-of-sale, (cash register), terminals. “People have compromised those machines before,” he noted.
Based on information provided by Target, McGeorge also said it’s safe to say a team of hackers was involved and whatever method the thieves used was likely under testing for a while. One potential method would involve an insider planting malware on Target’s network while the hackers could have also used an update utility to push malware to all terminals. He explained that flat networks in which most devices like computers and registers are connected are more susceptible to wide-range attacks. “On a flat network, once they’re on a computer they can talk to 90% of the network,” McGeorge said. “I’ve seen this a lot with companies similar to Target,” he continued. “But the fact that they hit every store got us thinking in that direction.”
We recommend everyone who has shopped at Target during this time frame to watch you statements closely for fraudulent or questionable charges and even possibly asking your credit or debit card provider to issue a new card. Attempts to use your information could occur within hours, days or weeks and sometimes up to years later.
