Happy Holidays: Target & Secret Service Investigating Credit/Debit Card Breach

Because it’s not the holidays without family, friends, gifts, reindeer, and news of a massive breach of credit and debit card records, the folks at Target are reportedly looking into the possibility that its customers’ information may have been compromised during the busiest shopping season of the year.
UPDATE: The U.S. Secret Service has confirmed to the Wall Street Journal that it is investigating the data breach, which is believed to have taken advantage of a vulnerability in the network of some 40,000 card-scanning devices used at Target stores nationwide.

Cybersecurity expert Brian Krebs cites multiple sources at large credit card issuers who tell him that the retailer is investigating a potential data breach that appears to have begun on Black Friday, and which would impact nearly all of the store’s locations in the U.S.

Krebs’ sources say the alleged breach only lasted for about a week, but it’s recently been discovered that it may have continued until around Dec. 15. The total number of accounts affected by the hack is not known, but millions of people all over the country flooded Target stores during these weeks in preparation for the Christmas holiday.

He reports that the “track data” allegedly stolen from customers’ accounts allows the data thieves to create counterfeit cards by encoding that information onto any blank card with a magnetic strip. Debit cards would also be at risk if the hackers have access to PIN information for cardholders. Duplicated debit cards could be used to siphon cash directly from accounts via ATM.

It’s not yet known if the breach extends to Target.com customers.

“The breach window is definitely expanding,” one anti-fraud analyst at a bank card issuer tells Krebs. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

Another analyst says that if the breach is as bad as it appears, it could be “up there with some of the largest retail breaches to date.”

As of hitting “Publish” on this post, Target has not responded to requests for comment.

Speaking with Target’s hometown paper, the Minneapolis Star-Tribune, Krebs says he has not heard from his sources about the hack being tied to any fraudulent charges on Target customers’ cards, but cautions that the thieves may have been biding their time before unloading all the pilfered data.

“There are so many stolen cards that the market for them is flooded and it’s hard for thieves to get much money for them anymore,” he explains. “And if the card numbers aren’t sold, they’re not being used.”

By law, credit card holders are only liable for up to $50 for fraudulent purchases, though a recent survey shows that all four of the major credit networks — Visa, MasterCard, Discover, and American Express — have $0 liability policies for cardholders. Some of these companies also extend this policy to debit cardholders who make purchases using the “credit” option at the point of purchase.

Anyone who has used a credit or debit card at Target in the last month should check their accounts to make sure there are no questionable purchases, debits, or transfers.

As you’ll notice in the Krebs report, this information is coming not from Target but from the card issuers. Why? We can only presume that Target was hoping to minimize the publicity damage in the middle of the super-busy holidays season. The card companies and banks meanwhile would want this information to be made public so that cardholders are proactively checking for fraudulent activity before it happens. News of the breach may also give the thieves a good reason to not make this stolen information public.

Read Comments3

Edit Your Comment

  1. CommonC3nts says:

    This is why you use a real credit card and not a debit card.
    Anyone that used credit has nothing to worry about.
    Those that used debit cards need to change their card immediately as their account could be drained at any time.

    • PhillyDom says:

      Unless there’s no money in the account to drain. I have a separate account for things like the Target REDcard which I transfer money to as needed. Otherwise, there’s a buck and change in it.

  2. theoriginalcatastrophegirl says:

    i checked and i used my debit card at target twice during that time frame.
    so i logged into my credit union account. and this was on the front page:

    “Target Stores Breach Information
    Last Updated: 12/19/2013 11:02:23 AM

    Target Stores has reported a potential security breach regarding debit and credit cards used at their stores from November 27th through December 15th. The Secret Service and other entities are working with Target to obtain additional information.

    We wanted to provide you with the following important information:

    • We are aware of the incident and are working with VISA and others.

    • You will have $0 liability for any potential fraudulent activity that may be attempted.

    • We monitor your debit and credit card activity 24 hours a day, 7 days a week for suspicious transactions and will contact you immediately if we identify a suspect transaction. This is usually done by phone if you have provided the Credit Union with your contact information.

    • Please continue to monitor your account and should you see any unauthorized activity, let us know immediately.

    • We realize that the holiday season is an important time for your cards to work. As such please be advised that the Credit Union WILL NOT automatically reissue cards prior to the end of the year to assure that you are not inconvenienced by this breach that occurred at Target.
    • However, if you would like to have your debit or credit card re-issued immediately please call your local branch or the Contact Center at (888) ___-____ for assistance.

    • We have been advised that members who have a Target REDcard should contact Target directly for additional information.

    If you have any further concerns or questions please let us know.”

    i love my credit union. no liability for fraudulent use on either the debit or the credit card accounts. and human understanding that maybe automatically killing your card without notice could be a problem this time of year! (during the michael’s crafts breach they automatically reissued all breached cards within 24 hours)

    *edit to include the a few lines of text from the credit union that i missed copying. – the bit about the redcard doesn’t apply to me but it might apply to some readers