If you did some Christmas shopping at Target over the last few
weeks, you’ll want to pay close attention to your credit card
statements, as the retailer is dealing with a major data breach.
Target is just now
confirming the security breach
that resulted in compromised credit card information, but some of the
details are still missing. Here’s what we know so far, and what Target
shoppers should be aware of:
Who is affected?
Target says 40 million credit and debit cards may have been
compromised. If you shopped at a U.S. Target store between November 27
and December 15, you should assume you’re at risk and keep a close watch
on your account statements. It’s not clear whether every Target store
was affected, but at least one card issuer says it’s seeing signs of
fraud all over the United States,
according to Krebs on Security. You’re not in any danger if you shopped at Target’s website, or one of the company’s Canada stores.
What information was taken?
Target says the attackers gained access to customer names, credit
card or debit card numbers, card expiration dates and CVV security
codes. Krebs on Security and the
report that the thieves accessed data from the magnetic stripes stored on the back of credit and debit cards. Wall Street Journal
What’s the risk for Target shoppers?
The attackers could use magnetic stripe data to create counterfeit payment cards. The
Wall Street Journal
notes that crime rings often use these counterfeits to purchase gift
cards at major retailers, and then convert them back to cash. The
attackers could also withdraw cash from ATMs if they managed to steal
PIN data from debit transactions, Krebs on Security notes.
What the heck? How did this happen?
Security breaches often involve hacking into a company’s servers and
making off with the data, but the Target breach appears to be different.
According to the
Wall Street Journal, this theft “may have
involved tampering with the machines customers use to swipe their cards
when making purchases.” How the thieves were able to compromise payment
terminals on such a large scale is unclear.
What should Target shoppers do now?
Target recommends keeping an eye on your credit or debit card
statements and calling your bank or card provider if you see any
fraudulent activity. As a general rule, you should get a copy of your
credit report periodically by visiting
AnnualCreditReport.com or calling (877) 322-8228. You can also set up a fraud alert through the three nationwide credit reporting agencies, Equifax, Experian and Transunion.
The problem, as one Krebs on Security commenter
is that automatic fraud detection could fail if the thieves are able to
localize the stolen card details and make purchases near where
cardholders live. The only guaranteed way to avoid fraud is to cancel
your card and get a new card number, but that might not be necessary if
you keep a close watch on your statements.
What is Target doing about the breach?
The retailer says it has ”moved swiftly to address this issue so
guests can shop with confidence,” and has also hired a third party
forensics firm to investigate. The
Secret Service is also investigating, as it often does for large-scale credit card data hacking.
How common is this sort of thing?
Too common, unfortunately. A 2007 security breach at T.J. Maxx
resulted in the theft of card numbers and personal data for roughly
90 million customers.
Worth noting in that case is that the original estimate was just 45.7
million affected customers — still enough to be the largest payment card
security breach ever at the time. Federal prosecutors are also still
investigating a group of security breaches that resulted in more than
160 million stolen credit and debit card numbers, from companies
including J.C. Penney, 7-Eleven and JetBlue. A breach of Heartland
Payment Systems in 2009 resulted in stolen data on more than 130 million