If you did some Christmas shopping at Target over the last few weeks, you’ll want to pay close attention to your credit card statements, as the retailer is dealing with a major data breach.
Target is just now confirming the security breach that resulted in compromised credit card information, but some of the details are still missing. Here’s what we know so far, and what Target shoppers should be aware of:
Who is affected?
Target says 40 million credit and debit cards may have been compromised. If you shopped at a U.S. Target store between November 27 and December 15, you should assume you’re at risk and keep a close watch on your account statements. It’s not clear whether every Target store was affected, but at least one card issuer says it’s seeing signs of fraud all over the United States, according to Krebs on Security. You’re not in any danger if you shopped at Target’s website, or one of the company’s Canada stores.
What information was taken?
Target says the attackers gained access to customer names, credit card or debit card numbers, card expiration dates and CVV security codes. Krebs on Security and the Wall Street Journal report that the thieves accessed data from the magnetic stripes stored on the back of credit and debit cards.
What’s the risk for Target shoppers?
The attackers could use magnetic stripe data to create counterfeit payment cards. The Wall Street Journal notes that crime rings often use these counterfeits to purchase gift cards at major retailers, and then convert them back to cash. The attackers could also withdraw cash from ATMs if they managed to steal PIN data from debit transactions, Krebs on Security notes.
What the heck? How did this happen?
Security breaches often involve hacking into a company’s servers and making off with the data, but the Target breach appears to be different. According to the Wall Street Journal, this theft “may have involved tampering with the machines customers use to swipe their cards when making purchases.” How the thieves were able to compromise payment terminals on such a large scale is unclear.
What should Target shoppers do now?
Target recommends keeping an eye on your credit or debit card statements and calling your bank or card provider if you see any fraudulent activity. As a general rule, you should get a copy of your credit report periodically by visiting AnnualCreditReport.com or calling (877) 322-8228. You can also set up a fraud alert through the three nationwide credit reporting agencies, Equifax, Experian and Transunion.
The problem, as one Krebs on Security commenter points out, is that automatic fraud detection could fail if the thieves are able to localize the stolen card details and make purchases near where cardholders live. The only guaranteed way to avoid fraud is to cancel your card and get a new card number, but that might not be necessary if you keep a close watch on your statements.
What is Target doing about the breach?
The retailer says it has “moved swiftly to address this issue so guests can shop with confidence,” and has also hired a third party forensics firm to investigate. The Secret Service is also investigating, as it often does for large-scale credit card data hacking.
How common is this sort of thing?
Too common, unfortunately. A 2007 security breach at T.J. Maxx resulted in the theft of card numbers and personal data for roughly 90 million customers. Worth noting in that case is that the original estimate was just 45.7 million affected customers — still enough to be the largest payment card security breach ever at the time. Federal prosecutors are also still investigating a group of security breaches that resulted in more than 160 million stolen credit and debit card numbers, from companies including J.C. Penney, 7-Eleven and JetBlue. A breach of Heartland Payment Systems in 2009 resulted in stolen data on more than 130 million cards.