Sophos Cloud Optix
The US retail giant Target on Thursday morning confirmed that cyber crooks may have gotten their hands on about 40 million credit and debit card accounts starting the day before Thanksgiving, 27 November, and through into the heart of Christmas shopping mania, 15 December.
Target says that customers who used such payment cards in its US stores during those 2.5 weeks may be affected.
The retailer says on its site that it’s retained a “leading” third-party forensics firm to investigate the breach.
The Secret Service has also confirmed to news outlets that it’s investigating the breach.
So far, Target says, it’s determined that the breached data includes customer names, credit or debit card numbers, card expiration dates, and CVVs (cards’ three-digit security codes).
The breach was first reported by security journalist Brian Krebs on Wednesday.
Krebs cited unnamed sources at two major credit card issuers who said that the breach may extend to all Target locations nationwide, with one of the sources saying that the company was seeing victims from all over the US.
So far, there’s no indication that the payment details for online sales at Target were affected in the breach.
The theft involves data stored on the magnetic stripe of cards used at the stores, according to Krebs.
That data – known as “track data” – can be used to create counterfeit cards by encoding the data onto any card with a magnetic stripe.
If it turns out that the thieves managed to swipe PIN data for debit transactions, it means that they might also be able to reproduce stolen debit cards and withdraw cash from victims’ accounts via ATMs.
While it’s not yet known how the data was skimmed, hypotheses are swirling that it might be similar to another massive credit card caper at a retailer: namely, the 2007 hacking of retailers TJ Maxx, Barnes and Noble and BJ’s Wholesale Club, which involved a hacking ring that stole over 40 million credit and debit card numbers.
In that caper, the attackers initially exploited insecure corporate wireless networks, gaining access to the communications of several retailers.
Reports emerged in 2007 that the data breach occurred because of weak WEP encryption in use at two Marshalls stores in Miami.
Once they had gained access, the hackers were able to install a packet sniffer on TJX’s network which was able to scoop up details of transactions in real-time, including the data stored on payment cards.
But there are plenty more ways to steal credit card information – one such was evidenced in an October breach, when retailer Nordstrom found cash register skimmers planted in a Florida store.
At any rate, all is just conjecture at this point.
For now, Target is telling customers to keep an eye out for suspicious transactions on credit or debit accounts by regularly reviewing account statements and by monitoring free credit reports at www.AnnualCreditReport.com or call (877) 322-8228.
Those who do discover suspicious or unusual activity on their accounts or who suspect fraud should report it immediately to their financial institutions.
Incidents of identity theft can also be reported to law enforcement and/or to the Federal Trade Commission (FTC) at www.consumer.gov/idtheft or (877) IDTHEFT (438-4338).
Maybe it’s about time to start sueing these companies and just maybe they will take security more seriously. I do not think that Target will finish very strong this holiday season.
This is the problem with relying on modern technology some one somewhere is going to try and hack it.
Target should reimburse the banks to re-issue every one of the cards involved
I was at Target a couple times during those dates. Good thing I used cash. People think they’re safer going to the store instead of buying online. Not anymore. I hope Target isn’t dumb enough to use WEP though.
Or do what I do, If I can’t afford to pay cash I don’t buy. And Yes I do have credit cards. For the rare Online purchase, car rental, lodging. I was in Target, I paid cash. Am I worried? Nope.
Obviously Target lacks a good encryption on their security as well. A weak WEP? /sigh Do these people not realize that their are keygens out there made specifically for hacking WEP keys?
OK… first, the WEP statement to which you so incorrectly commented about was regarding the wireless network hack of TJX/Marshall’s from 2007. That data breach was initiated via poor wireless network security from people sitting in the parking lot. Second, Target was attacked via POS or Point of Sales devices which are connected physically to the register. Third… “KeyGens”…seriously?