Target confirms: Crooks may have spent holiday shopping season feasting on 40m filched payment cards

Filed Under: Data loss, Featured, Law & order, Security threats

Target logoThe US retail giant Target on Thursday morning confirmed that cyber crooks may have gotten their hands on about 40 million credit and debit card accounts starting the day before Thanksgiving, 27 November, and through into the heart of Christmas shopping mania, 15 December.

Target says that customers who used such payment cards in its US stores during those 2.5 weeks may be affected.

The retailer says on its site that it's retained a "leading" third-party forensics firm to investigate the breach.

The Secret Service has also confirmed to news outlets that it's investigating the breach.

So far, Target says, it's determined that the breached data includes customer names, credit or debit card numbers, card expiration dates, and CVVs (cards' three-digit security codes).

The breach was first reported by security journalist Brian Krebs on Wednesday.

Krebs cited unnamed sources at two major credit card issuers who said that the breach may extend to all Target locations nationwide, with one of the sources saying that the company was seeing victims from all over the US.

So far, there's no indication that the payment details for online sales at Target were affected in the breach.

The theft involves data stored on the magnetic stripe of cards used at the stores, according to Krebs.

That data - known as "track data" - can be used to create counterfeit cards by encoding the data onto any card with a magnetic stripe.

If it turns out that the thieves managed to swipe PIN data for debit transactions, it means that they might also be able to reproduce stolen debit cards and withdraw cash from victims' accounts via ATMs.

While it's not yet known how the data was skimmed, hypotheses are swirling that it might be similar to another massive credit card caper at a retailer: namely, the 2007 hacking of retailers TJ Maxx, Barnes and Noble and BJ's Wholesale Club, which involved a hacking ring that stole over 40 million credit and debit card numbers.

In that caper, the attackers initially exploited insecure corporate wireless networks, gaining access to the communications of several retailers.

Reports emerged in 2007 that the data breach occurred because of weak WEP encryption in use at two Marshalls stores in Miami.

Once they had gained access, the hackers were able to install a packet sniffer on TJX's network which was able to scoop up details of transactions in real-time, including the data stored on payment cards.

But there are plenty more ways to steal credit card information - one such was evidenced in an October breach, when retailer Nordstrom found cash register skimmers planted in a Florida store.

At any rate, all is just conjecture at this point.

For now, Target is telling customers to keep an eye out for suspicious transactions on credit or debit accounts by regularly reviewing account statements and by monitoring free credit reports at or call (877) 322-8228.

Those who do discover suspicious or unusual activity on their accounts or who suspect fraud should report it immediately to their financial institutions.

Incidents of identity theft can also be reported to law enforcement and/or to the Federal Trade Commission (FTC) at or (877) IDTHEFT (438-4338).

, , ,

You might like

7 Responses to Target confirms: Crooks may have spent holiday shopping season feasting on 40m filched payment cards

  1. Bob · 657 days ago

    Maybe it's about time to start sueing these companies and just maybe they will take security more seriously. I do not think that Target will finish very strong this holiday season.

  2. Andrew · 657 days ago

    This is the problem with relying on modern technology some one somewhere is going to try and hack it.

  3. John · 657 days ago

    Target should reimburse the banks to re-issue every one of the cards involved

  4. I was at Target a couple times during those dates. Good thing I used cash. People think they're safer going to the store instead of buying online. Not anymore. I hope Target isn't dumb enough to use WEP though.

  5. Say no to Credit cards · 657 days ago

    Or do what I do, If I can't afford to pay cash I don't buy. And Yes I do have credit cards. For the rare Online purchase, car rental, lodging. I was in Target, I paid cash. Am I worried? Nope.

  6. Obviously Target lacks a good encryption on their security as well. A weak WEP? /sigh Do these people not realize that their are keygens out there made specifically for hacking WEP keys?

    • OK... first, the WEP statement to which you so incorrectly commented about was regarding the wireless network hack of TJX/Marshall's from 2007. That data breach was initiated via poor wireless network security from people sitting in the parking lot. Second, Target was attacked via POS or Point of Sales devices which are connected physically to the register. Third... "KeyGens"...seriously?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.