It had been fairly quiet on the retailer data-breach front for quite some time until Wednesday, when news broke that Target Corp. had suffered what apparently was a major breach of magnetic-stripe data from payment cards. Target confirmed Thursday that the breach potentially compromised 40 million credit and debit accounts, which will make it one of the biggest merchant breaches ever.
In a statement posted on its Web site this morning, Minneapolis-based Target said “it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.”
Target’s statement later said “approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.”
The breach only affected Target’s U.S. stores, of which there are nearly 1,800, and not Target’s e-commerce site. Target said it has hired a forensics firm to investigate. The U.S. Secret Service also is investigating, according to press reports. The Krebs on Security blog broke the story based on information from sources at two large card issuers.
No word was immediately available about if or how much fraud has been committed using the stolen card data. The compromised data, according to Target, include “customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).” The statement did not mention if the hackers obtained personal identification numbers (PINs) for debit cards. A Target spokesperson did not respond to Digital Transactions News’ requests for comment.
The big question now is how the breach happened. Target isn’t saying. Researchers and executives involved in data security doubt the hackers placed skimmers at the point of sale to capture card data from each of Target’s 1,800 stores, a massive task with a high risk of getting caught. “What seems far more likely with large chains like this is they have some problem with remote access,” says Gary Glover, director of security assessment at SecurityMetrics Inc., an Orem, Utah-based vendor. “[Hackers] get into one store, then get into the corporate database, then get into everything. A similar thing may have happened.”
Branden R. Williams, executive vice president of strategy of Ireland-based SysNet Global Solutions, which has U.S. offices in Atlanta and Salt Lake City, says the fraudsters could have installed malicious software (malware) somewhere in Target’s computer system that would enable them to steal data without placing one skimmer. “It can run the attacks remotely,” he says.
The latest iteration of the Dexter virus reportedly generated millions of dollars in losses in South Africa, spread rapidly to Europe, and is now being seen in the U.S., according to Williams. Adds Brad Chronister, manager of security consulting services at Atlanta-based ControlScan Inc.: “Any of these new types of malware—they’re really smart.”
Insider help also is a possibility. “I wouldn’t be surprised if that’s the case with the Target breach—that Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access,” Gartner Inc. security-technology analyst Avivah Litan wrote in a blog post.
In any case, those who stole the data very likely will try to sell it to fraudsters who will then use the information to make counterfeit credit and debit cards. They’ll likely have to work fast because, in contrast to many other card breaches, the compromise was discovered and became publicly known fairly quickly.
Some say the breach is one more reason why the U.S. should get on with the difficult job of converting its magnetic-stripe payment cards to the Europay-Visa-MasterCard (EMV) chip card standard now used in all other major industrial nations. “It’s time for the U.S. card industry to move to chip/smart cards and stop expecting retailers to patch an insecure payment card system” wrote Litan.
With potentially 40 million card accounts affected, many financial institutions could see fraud on their customers’ accounts. Target itself issues its own debit card and has a big credit card portfolio with private-label and Visa card offerings. Target in March sold the credit portfolio, which had $5.7 billion in receivables, to the U.S. affiliate of Toronto-based TD Bank Group, but Target continues to service the accounts. A spokesperson at TD’s Cherry Hill, N.J., U.S. headquarters says by email that “this impacts TD like it does any other issuer. TD Bank is one of many card issuers impacted by this incident.”
Target’s breach could approach the scale of the breach reported in 2007 by retailer TJX Cos., which may have compromised 46 million or more card numbers. Earlier this year, St. Louis-based regional grocery store chain Schnuck Markets Inc. reported that a breach may have compromised up to 2.4 million customers' card data.