The US retail giant Target on Thursday morning confirmed that cyber crooks may have gotten their hands on about 40 million credit and debit card accounts starting the day before Thanksgiving, 27 November, and through into the heart of Christmas shopping mania, 15 December.
Target says that customers who used such payment cards in its US stores during those 2.5 weeks may be affected.
The retailer says on its site that it’s retained a “leading” third-party forensics firm to investigate the breach.
The Secret Service has also confirmed to news outlets that it’s investigating the breach.
So far, Target says, it’s determined that the breached data includes customer names, credit or debit card numbers, card expiration dates, and CVVs (cards’ three-digit security codes).
The breach was first reported by security journalist Brian Krebs on Wednesday.
Krebs cited unnamed sources at two major credit card issuers who said that the breach may extend to all Target locations nationwide, with one of the sources saying that the company was seeing victims from all over the US.
So far, there’s no indication that the payment details for online sales at Target were affected in the breach.
The theft involves data stored on the magnetic stripe of cards used at the stores, according to Krebs.
That data – known as “track data” – can be used to create counterfeit cards by encoding the data onto any card with a magnetic stripe.
If it turns out that the thieves managed to swipe PIN data for debit transactions, it means that they might also be able to reproduce stolen debit cards and withdraw cash from victims’ accounts via ATMs.
While it’s not yet known how the data was skimmed, hypotheses are swirling that it might be similar to another massive credit card caper at a retailer: namely, the 2007 hacking of retailers TJ Maxx, Barnes and Noble and BJ’s Wholesale Club, which involved a hacking ring that stole over 40 million credit and debit card numbers.
In that caper, the attackers initially exploited insecure corporate wireless networks, gaining access to the communications of several retailers.
Reports emerged in 2007 that the data breach occurred because of weak WEP encryption in use at two Marshalls stores in Miami.
Once they had gained access, the hackers were able to install a packet sniffer on TJX’s network which was able to scoop up details of transactions in real-time, including the data stored on payment cards.
But there are plenty more ways to steal credit card information – one such was evidenced in an October breach, when retailer Nordstrom found cash register skimmers planted in a Florida store.
At any rate, all is just conjecture at this point.
For now, Target is telling customers to keep an eye out for suspicious transactions on credit or debit accounts by regularly reviewing account statements and by monitoring free credit reports at www.AnnualCreditReport.com or call (877) 322-8228.
Those who do discover suspicious or unusual activity on their accounts or who suspect fraud should report it immediately to their financial institutions.
Incidents of identity theft can also be reported to law enforcement and/or to the Federal Trade Commission (FTC) at www.consumer.gov/idtheft or (877) IDTHEFT (438-4338).Follow @NakedSecurity