Target admitted in a Dec. 19 statement that cyber-criminals had access to credit- and debit-card information associated with 40 million customer accounts.
“The unauthorized access may impact guests who made credit or debit card purchases in our U.S. stores from Nov. 27 to Dec. 15, 2013,” read a note posted on the front of Target’s Website. “Your trust is a top priority for Target, and we deeply regret the inconvenience this may cause.”
The cyber-attackers managed to abscond with customers’ names, credit- and debit-card numbers, card expiration dates, and even the security codes that allow cardholders to make online purchases (also known as the CVVs). Target has already hired a third-party forensics firm to investigate the break-in, in addition to alerting authorities and financial institutions.
Beyond that, however, there’s precious little that Target can do, despite its assertions that the issue has somehow been “identified and resolved.” Although the retailer may have closed the security hole, cyber-attackers had more than two weeks to take their pick of credit-card numbers and identities, and could still use that information for illicit purchasing and identity theft. “You should remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring free credit reports,” continued the note on Target’s Website. “If you discover any suspicious or unusual activity on your accounts or suspect fraud, be sure to report it immediately to your financial institutions.”
Over at KrebsonSecurity, Brian Krebs—who’s been tracking the story for the past few days—shed a little more light on how the attackers accessed Target’s databases. “There are no indications at this time that the breach affected customers who shopped at Target’s online stores,” he wrote. “The type of data stolen—also known as ‘track data’—allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe.” In theory, if the cyber-criminals accessed PIN data associated with customer accounts, they could also recreate debit cards and withdraw cash from ATMs.
“The sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach,” Krebs added. “A third source at a data breach investigation firm said it appears that ‘when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.’”
That’s not good news for Target, which can’t afford leery customers during the busiest shopping period of the year. In the comments below Krebs article, some readers claimed to have been hit with fraudulent charges after shopping at Target during the attack period.
While the Target breach is particularly high-profile, however, it certainly won’t be the last: cyber-attackers have grown increasingly sophisticated at penetrating systems, and it’s often hard for IT administrators and security experts to plug every single vulnerability in a sprawling organization. At some point, another big breach will hit the news.