UPDATE: The U.S. Secret Service has confirmed to the Wall Street Journal that it is investigating the data breach, which is believed to have taken advantage of a vulnerability in the network of some 40,000 card-scanning devices used at Target stores nationwide.
Cybersecurity expert Brian Krebs cites multiple sources at large credit card issuers who tell him that the retailer is investigating a potential data breach that appears to have begun on Black Friday, and which would impact nearly all of the store’s locations in the U.S.
Krebs’ sources say the alleged breach only lasted for about a week, but it’s recently been discovered that it may have continued until around Dec. 15. The total number of accounts affected by the hack is not known, but millions of people all over the country flooded Target stores during these weeks in preparation for the Christmas holiday.
He reports that the “track data” allegedly stolen from customers’ accounts allows the data thieves to create counterfeit cards by encoding that information onto any blank card with a magnetic strip. Debit cards would also be at risk if the hackers have access to PIN information for cardholders. Duplicated debit cards could be used to siphon cash directly from accounts via ATM.
It’s not yet known if the breach extends to Target.com customers.
“The breach window is definitely expanding,” one anti-fraud analyst at a bank card issuer tells Krebs. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
Another analyst says that if the breach is as bad as it appears, it could be “up there with some of the largest retail breaches to date.”
As of hitting “Publish” on this post, Target has not responded to requests for comment.
Speaking with Target’s hometown paper, the Minneapolis Star-Tribune, Krebs says he has not heard from his sources about the hack being tied to any fraudulent charges on Target customers’ cards, but cautions that the thieves may have been biding their time before unloading all the pilfered data.
“There are so many stolen cards that the market for them is flooded and it’s hard for thieves to get much money for them anymore,” he explains. “And if the card numbers aren’t sold, they’re not being used.”
By law, credit card holders are only liable for up to $50 for fraudulent purchases, though a recent survey shows that all four of the major credit networks — Visa, MasterCard, Discover, and American Express — have $0 liability policies for cardholders. Some of these companies also extend this policy to debit cardholders who make purchases using the “credit” option at the point of purchase.
Anyone who has used a credit or debit card at Target in the last month should check their accounts to make sure there are no questionable purchases, debits, or transfers.
As you’ll notice in the Krebs report, this information is coming not from Target but from the card issuers. Why? We can only presume that Target was hoping to minimize the publicity damage in the middle of the super-busy holidays season. The card companies and banks meanwhile would want this information to be made public so that cardholders are proactively checking for fraudulent activity before it happens. News of the breach may also give the thieves a good reason to not make this stolen information public.