BOSTON —Target Corp. said hackers have stolen data from up to 40 million credit and debit cards of shoppers who visited its stores during the first three weeks of the holiday season. It is the second-largest such breach ever reported by a U.S. retailer.
The hackers worked at unprecedented speed, carrying out their operation from the day before Thanksgiving to this past Sunday, 19 days that are the heart of the crucial Christmas holiday sales season.
Krebs on Security, a closely watched security industry blog that broke the news on Wednesday, said the breach involved nearly all of Target’s 1,797 stores in the United States.
The U.S. Secret Service is working on the investigation, according to an agency spokeswoman. A Federal Bureau of Investigation spokeswoman declined to comment.
Customers who made purchases by swiping their cards at its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the card, Target said.
There was no indication that the three- or four-digit security numbers visible on the back of the card were affected.
Target, the third-largest U.S. retailer, said Thursday that it was working with federal law enforcement and outside experts to prevent similar attacks in the future. It did not disclose how its systems were compromised.
Representatives for J.C. Penney, Walmart Stores, Best Buy and Home Depot said they believed their systems had not been compromised in similar attacks.
Target did not detect the attack on its own, according to a person familiar with the investigation. The retailer was alerted its systems might have been compromised by credit card processors who had noticed a surge in fraudulent transactions involving credit cards that had been used at Target, according to the source, who was not authorized to discuss the matter.
The timing of the breach could not have been worse for Target, coming just before three of the four busiest days of what has been a bruising holiday season for retailers, with the highest level of discounting in years. Target itself last month lowered its profit forecast for the year after disappointing sales in the third quarter.
“This could hurt the end of the holiday season if for no other reason than many of their customers have to cancel cards ahead of holidays,” said Janney Capital Markets analyst David Strasser.
Complaints from customers began to surface on social media as they learned of it early Thursday morning. Customers vented their anger online and in person on Thursday, with one suggesting a new company slogan: “Expect More. Except Security.”
Lawyers interviewed Thursday said that there will almost definitely be class action suits against Target.
The affected payment cards include Target’s REDcard private label debit and credit cards as well as other bank cards, Target spokeswoman Molly Snyder told Reuters on Thursday. She declined to say if the incident was affecting store traffic.
AN INSIDE JOB?
Avivah Litan, a security analyst with Gartner Research, said that given all the security, she believes the breach may have been an inside job.
But thefts of this size are too big to be the work of company employees, said Ken Stasiak, founder and CEO of Secure State, a Cleveland-based information security firm that investigates data breaches like this one. Stasiak said that such breaches are generally perpetrated by organized crime or an overseas, state-sponsored hacker group.
The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.
Since then, companies have gotten far more adept at identifying intruders. But criminals have responded by developing more-powerful attack strategies, spending months on reconnaissance to launch highly sophisticated schemes with the goal of extracting as much data as they can in the shortest period of time.
Target’s shares closed down 2.2 percent at $62.15 on the New York Stock Exchange on Thursday afternoon, while the Standard & Poor’s 500 stock index fell 0.06 percent.
The company identified the breach Sunday and began responding to it the same day, Snyder said. She declined to explain why the retailer waited until Thursday to alert customers about the breach.
Many customers complained they could not get through to the call center and could not get on Target’s branded credit card website. The company apologized and said it was “working hard” to resolve the issue and adding more workers to field calls and fix website issues.
Christopher Browning, of Chesterfield, Va., said he was the victim of credit card fraud earlier this week and believes it was tied to a purchase he made at Target with his Visa card on Black Friday. When he called Visa on Thursday, the card issuer could not confirm his suspicions. He said he has not been able to get through to Target’s call center.
On Monday, Browning received a call from his bank’s anti-fraud unit saying that there were two attempts to use his credit card in California — one at a casino in Tracey, Calif., for $8,000 and the other at a casino in Pacheco, for $3,000. Both occurred on Sunday and both were denied. He canceled his credit card and plans to use cash.
“I won’t shop at Target again until the people behind this theft are caught or the reasons for the breach are identified and fixed,” he said.
Still, consumers tend to have short memories with these things, so even if it is bad now, it will likely be less of an issue next quarter, said Gartner analyst Litan.
Q&A: WHAT TO KNOW IF YOU HAVE RECENTLY SHOPPED AT TARGET
Target says anyone who made purchases by swiping cards at terminals in its U.S. stores between Nov. 27 and Dec. 15 may have had their accounts exposed. The stolen data includes customer names, credit and debit card numbers and card expiration dates The stolen information included Target store brand cards and major card brands such as Visa and MasterCard. The data breach did not affect online purchases, the company said.
Question: I shopped at Target during that time. What should I do?
Answer: Check your credit card statements carefully. If you see suspicious charges, report the activity to your credit card companies and call Target at 866-852-8680. You can report cases of identity theft to law enforcement or the Federal Trade Commission. You can get more information about identity theft on the FTC’s website at consumer. gov/idtheft, or by calling the FTC, at 877-438-4338.
Q: How did the breach occur?
A: Target isn’t saying how it happened. Industry experts note that companies such as Target spend millions of dollars each year on credit card security, making a theft of this magnitude particularly alarming.
Q: What should I do if my card or cards have been compromised?
A: Experts say to close the account immediately by contacting the bank or company that issued you the card. It can be inconvenient to wait for a new account number and card, especially during the holiday shopping season. But it protects you from potential losses. Watch your statement and report any transactions you did not authorize. Consumers are protected against fraudulent transactions.
Q: Who pays if there are fraudulent charges on my account?
A: The good news is in most cases consumers aren’t on the hook for fraudulent charges. Credit card companies are often able to flag the charges before they go through and shut down your card. If that doesn’t happen, the card issuer will generally strip charges you claim are fraudulent off your card immediately. And since the fraud has been tied to Target, it’ll be the retailer that ultimately compensates the banks and credit card companies.
Q: How much is this going to cost Target?
A: It’s too soon to tell. In addition to the fraud-related losses, banks may start charging Target a higher merchant discount rate, which is the amount retailers pay banks for providing debit and credit card services. While the percentage difference may be tiny, it could result in steep costs given the volume of transactions Target does.
Q: How long should I be vigilant if I suspect my information may have been compromised?
A: “Always. You need to always be checking your statements,” said Jana Castanon, media relations manager for Apprisen, a national nonprofit consumer credit counseling agency. News about data breaches often isn’t immediately public but shoppers can be victimized quickly. With online access, most consumers can see the activity on their accounts at any time. And scammers may wait before using a stolen account identity.
Q: Which is safer to use, a debit card or credit card?
A: Either is fine, but experts recommend choosing credit when you use a debit card. Castanon said it moves the transaction under the consumer protections of the payments company, such as Visa, that may be stronger than the protections offered by the bank that issued you the card. The funds still will move like a debit, without exposing you to future payments or interest costs.
Q: What else can I do?
A: Arvest Bank offered these recommendations: Destroy your receipts when discarding them so that no one can pull personal information from them. Protect your card number, and don’t give it out over the phone to a caller unless you initiated the call to make a purchase from a reputable company.
Q: Is it safer to shop online?
A: Target said its online shoppers weren’t compromised, but online transactions present their own dangers. Experts say to deal with recognized vendor sites and do what you can to ensure the transaction is secured, often with an image of a closed padlock. Be alert to where links on a site actually take you. Hover over the link with your cursor and the address will be displayed on your screen. If it doesn’t look right, the link may be sending you to a scam.The Associated Press contributed to this report. Sources: The Associated Press, The Kansas City Star