December 18, 2013

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

target

Update, Dec. 19: 8:20 a.m. ET: Target released a statement this morning confirming a breach, saying that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013.

Original story;

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s bricks-and-mortar stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

There are no indications at this time that the breach affected customers who shopped at Target’s online stores. The type of data stolen — also known as “track data” — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.

It’s not clear how many cards thieves may have stolen in the breach. But the sources I spoke with from two major card issuers said they have so far been notified by one of the credit card associations regarding more than one million of cards total from both issuers that were thought to have been compromised in the breach. A third source at a data breach investigation firm said it appears that “when all is said and done, this one will put its mark up there with some of the largest retail breaches to date.”

Some of the largest retailer breaches to date may help explain what happened in this case. In 2007, retailer TJX announced that its systems had been breached by hackers. The company later learned that thieves had used the store’s wireless networks to access systems at its Massachusetts headquarters that were used to store data related to payment card, check and return transactions at stores across the country, and that crooks had made off with data from more than 45 million customer credit and debit cards.

In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

This is likely to be a fast-moving story. Stay tuned for updates as they become available.

Follow-up reporting on the Target breach:

Cards Stolen in Target Breach Flood Underground Markets

New Clues in the Target Breach

A First Look at the Target Intrusion, Malware

A Closer Look at the Target Malware, Part II

Fire Sale on Cards Stolen in Target Breach

Card Backlog Extends Pain from Target Breach

Target Hackers Broke in Via HVAC Company

Email Attack on Vendor Set Up Breach at Target

Who’s Selling Credit Cards Stolen from Target?

The Target Breach, By the Numbers

Inside Target Corp., Days After 2013 Breach


620 thoughts on “Sources: Target Investigating Data Breach

  1. Ben

    Used my Capital One Mastercard at Target here in Philadelphia the day after Black Friday. Nothing happened till yesterday, when Capital One called me about “suspicious transactions.” By then, there were at least ten fraudulent successful uses of the card, all yesterday, at car-related businesses, restaurants and electronic stores.

    What I don’t get is this: since the breach was national in nature, how come all the above transactions happened within a mile of downtown Philadelphia? Is it possible that the stolen numbers were sold sorted out by city?

    1. Anon

      Ben – the vendors selling the data have sorted the accounts by zip code of the compromised Target location. Best chances in this case of fraudsters getting approved transactions are to buy cards from the same area they operate out of. California card used for fraud transactions in Georgia, little bit more suspicious and more likely to run into fraud defenses.

    2. Mary1

      ACTUALLY, The information pertaining to dates is incorrect, This has been going on as far back as LEAST August. Someone on here mentioned transactions being made on Dec. 13th and 14th at a Target in Flushing, NY. The same thing happened to me on both days, and from the Target Location in Flushing, NY as well with one of my bank cards. BUT, in August the SAME THING happened to me where a DIFFERENT BANK and bank card(used literally 4 times for any type of purchase) was used at the same Target in Flushing , NY. Back in August, I thought that those fraudulent transactions were due to some people at a new doctor’s office I provided my information to scamming. After hearing about this, I checked my bank statements and both cards were used at a Target(NOT IN FLUSHING, NY) with one transaction going back to March, 2013. NOW, it all adds up. It doesnt matter when you swiped your card or which Target you swiped it in, EVERYONE SHOULD BE CAUTIOUS AND CONSIDER GETTING NEW BANK CARDS. People are evil and greedy. Please careful everyone.

      1. RBBrittain

        That only means the thief USED the stolen info at Target in Flushing; that does NOT mean he GOT it from there. Everyone should be vigilant at ALL times, but NOTHING you posted suggests Target’s OWN systems were breached prior to 11/27.

  2. DefendOurFree

    Customers who suspect unauthorized activity should contact Target at 866-852-8680

    1. Snowden is a Patriot

      No. If you suspect unauthorized activity on your credit card, you call your credit card company. Target can’t do anything at this point. They are the victim of hackers.

      If you swiped your credit card at Target between Nov 27 and Dec 15, your credit card is compromised. Call your credit card company and get a new number.

      1. DefendOurFree

        The notices from information being put out by Target just say:

        “Guests that suspect there has been unauthorized activity on their cards should report it to their credit card companies and call Target at 866-852-8680”

        They may be collecting victim information. That isn’t in lieu of contacting your own card provider. But you shouldn’t be posting to people not to do what Target is instructing.

        1. RBBrittain

          In addition, REDcard debit cards are issued by Target, and AFAIK Target still does a lot of work on REDcard credit cards (formerly issued by a Target-owned card bank but sold to TD Bank earlier this year); for those Target should be the FIRST place you call. In fact, if it’s REDcard debit your own bank may NOT be able to do much about it, except reverse fraudulent transactions already deducted from your checking account; card reissuance, etc. is done by Target, *not* your bank.

        2. Dennis

          Just to clarify the whole credit card and who to report to… if you own a Target Red credit or debit card and were a victim of fraud, you contact Target as instructed in their press release. If you own a non-Target credit card/debit card not issued by Target/its affiliates, then you contact your respective financial institution to report the fraud.

        1. DefendOurFree

          And comments to the PRESS during interviews have been:

          “Guests who suspect unauthorized activity should contact Target at: 866-852-8680”

          http://www.kktv.com/home/headlines/Target-40-Million-Credit-Cards-Compromised-236536761.html

          http://www.upnorthlive.com/news/story.aspx?id=985172

          http://abclocal.go.com/wpvi/story?section=news/national_world&id=9365536

          http://wwmt.com/shared/news/features/top-stories/stories/wwmt_40-million-accounts-affected-target-security-breach-16703.shtml

          ETC.

      2. Teri

        THANKS for the tip on what to do right now. Amazing it took this long for them to let people know. Thanks Mr. Krebs!!!

  3. Sean

    The current NBC.com article cites Krebs On Security as the first to break the story, as well as an earlier Reuters piece on the news site. Great work, Brian. The AP article in the WP doesn’t mention this blog, though (would have been nice).

  4. Michele

    Do they know if this has affected the Canadian Target stores also?

    1. RBBrittain

      NO; Target has specifically said its Canadian stores were NOT affected. (Australia also has stores called Target, but that’s a different company.)

  5. NotMe

    Here are some URLs, the fraudsters will love me posting this:

    Rescator.la (shop)
    Kaddafi.hk (shop)
    Octavian.su (mirror of Rescator)

    Lampeduz.la (forum)

    ENJOY!

  6. Unhappy customer

    Yes, and Target insists on swiping your drivers license to buy a video game, I bet they were exfiltrated also. In the past, I’ve asked the manager where their privacy statement is and why they need to swipe it in, they said they didn’t know.

    1. DefendOurFree

      Good point! That should be bumped up. That would be violation of the DPPA. *Additional Felony charges*.

      1. amy

        Better yet, when a retailer wants your driver’s license for a cash transaction for a simple retail purchase of an uncontrolled item… tell them where they can shove it and go buy it somewhere else. DO NOT let things like this stand.

        1. Wendy

          I rarely shop at Target…but chose to purchase one item there for xmas on Dec. 14th. Interestingly, I was asked for my driver’s license as well…which I refused to allow them to ‘scan…’ instead had a manager approve it visibly. I had the weirdest feeling during that entire transaction…and the clerk stated that customers have been enraged by the request for driver’s licenses. Not sure if I avoided anything by not scanning it…but will be sure NOT TO SHOP AT TARGET ever again.

  7. JE

    My mother’s credit card was compromised and apparently used successfully twice in Toronto, Canada. My experience in Canada is that merchants rarely ask for identification when using a credit card because card security in Canada is generally better there.

    1. Chris

      Target is saying that the breach was limited to US stores. Was your mother’s card used only in Canada or was it used recently in the US?

    2. moodi

      “JE” Did your mother shopped in Target, USA or a Canadian store?
      Thanks

  8. Dana

    Do we know how the data was stolen? Did they use malware on POS systems? Did they breach into a centeral payment processing system?

  9. Chris

    From a 2011 Microsoft case study, each Target store operates as an autonomous unit including their POS solution and security management, onlyr centralized authentication, domain name resolution, and endpoint monitoring services are served up from centrally. From this article Target recently migrated to two physical servers per store using Microsoft virtualization platform.

    Also in the last 6 months Target rolled out new POS terminals at their stores. These new devices are pretty slick with color displays. I am not sure of the manufacturer.

    With such a decentralized model, I am guessing that it was either a compromise of the POS terminals during manufacturing or deployment or a wide spread malware are infection. Since full track data was involved including CVV which is not allowed to be stored, I am guessing malware that scraped the servers memory.

    The question is did this happen within the POS system virtual machine or did something in another VM manage to scavenge the data. This could have serious implications for companies that are heavily relying on virtualization including cloud providers.

    Another interesting question, if this is malware related how did it get out to all stores and only affect US stores? In a retail environment, generally you prevent one store from communicating directly with any other store.

    1. Evan

      Just to clarify on the CVV, this would be the CVV1 stored on the mag stripe and not related to the CVV2 which is only printed on the back of the card. CVV1 could not be used for making card not present transactions online. (at least with a vendor who actually requires CVV2 as part of purchase (here’s looking at you Amazon)

    2. E.M.H.

      If I understand things correctly, CVVs are not allowed to be stored *post authorization*, but as a practice that still allows it to be kept until authorization is received. And given that most times that’s a batch process, that means authorization could take a day or two. So if I remember that correctly, that still leaves open the possibility that the compromise can be upstream of the POS terminals.

      If I remember things correctly. I don’t get to use that part of my training often since payment card stuff is handled elsewhere in my organization.

      Anyway, regardless of all that, the fact that the CVVs were in the compromised data is really disturbing. It does increase the likelihood that this could’ve been a compromise of their POS terminals. And it makes the sale of this data more valuable to crime rings.

    1. Nate

      It would appear there are problems with the number. At first we got a busy signal, now it’s a Betty message that the number is no longer in service.

  10. Really Notme

    Just saw the CBS morning news with a phone interview with Krebs!
    Way to go Brian, keep up the good work.

  11. Nm

    I had a call and fraud alert text from American Express Sunday the 15th. Someone had used the card at TARGET that day and charges were well over $600 when I went online. Amex wiped out all charges and sent me a new card that day. Their fraud dept. seems to be the best.

  12. NotMe

    yes, I had 10 withdrawals from my bank account, all around $96. to total almost $1000. this happened a year ago. I have notice how the cameras are directly above the debit machines and the faces of the machines are totally exposed.
    Cindy

  13. jake

    Who is their credit card processor and what is their responsibility?

    1. Chris

      Unless the breach happened at the credit card processor, the liability is passed on to Target. The card brands will “fine” the processor, but all merchants have agreements with their payment processors that these fines will be passed on to the merchant. The legality of this arrangement is being questioned by another company that had a breach and was assessed these fines. Google Genesco v. Visa

    1. Really Notme

      Looks a little older than the picture on the site 🙂
      Way to go, Krebs in the mainstream media (again)!

  14. Faith in US

    Well, I’m glad that Target is fessing up to their data breach; however, this is totally unrelated to the numerous people in my city who’ve had their VISA debit card accounts hacked.

    Why is no one else reporting a data breach that would help explain why nearly everywhere I go, every day, someone else says their card has been hacked since the week of Thanksgiving?

    VISA–anything you need to add to this discussion?

    1. RBBrittain

      Just because you ran into them at other stores does NOT mean their cards were hacked elsewhere. According to what’s been released, if you swiped your credit or debit card even ONCE at a Target store between 11/27 & 12/15 it could have been compromised; assuming it’s the magstripe that was copied, the thief can copy that onto another card and use it ANYWHERE your card brand is accepted. (If they mostly seem to be Visa, that’s only because most debit cards happen to be Visa.)

  15. Secret

    As I posted above, the data is for sale at:

    Rescator.la
    Kaddafi.hk
    Octavian.su (copy of Rescator)

    Lampeduza.la is the forum where administrator, Rescator, runs his Senate office (you’ll see if you go there)

    All are free to register.

  16. Liz

    I had fraudulent purchases on my account yesterday. Any way of finding out if my number was accessed in the breach?

    1. amy

      You know the card’s been compromised, so what does it matter where? The card should be cancelled and a new one obtained, regardless.

      1. Rob

        Where matters so you can avoid any place that handle stuff sloppily.

  17. John H

    Went to Target in Chicago suburbs on Tuesday, and was the first person to use the card reader, it still had it’s plastic protection on the reader. I’m not sure if it is related or not. I did shop with a credit card at Target during the vulnerable period, but no unexpected charges so far.

  18. kolton

    im doing a report on this its but y would anyone wanna hack into a credit or debit card

  19. not_required

    For the Canadians in the room, it was only US stores that were impacted according to the press release that Brian included in the story…

  20. Chris

    ABC 7 in Los Angeles reported that Target is saying that PIN information may also have been compromised. Local news, so not sure if this is verified yet.

    1. RBBrittain

      Target’s own release does *NOT* say PINs were compromised, but even if they were that only makes it easier to use the debit cards (especially at ATMs *or* if it’s REDcard debit, both of which *require* a PIN). Most debit cards are Visa/MC; those can be used at most merchants *without* a PIN.

      If it’s REDcard debit, it’s probably a good idea to change your PIN anyway just in case they got it; I changed mine early this morning before the rush took RCAM down. As those cards are ONLY accepted at Target stores, Target.com & Target Ticket (all of which *require* a PIN — Target Ticket stores your PIN, but *not* Target.com), changing the PIN should be sufficient as long as the database with your bank account number remains secure (AFAICT it still is for now).

      However, that’s *only* for REDcard debit; changing your PIN, or even your bank account number, will *NOT* stop compromised debit cards at Visa/MC merchants, whether the PIN was captured or not. If they’re hitting your Visa/MC debit card, the ONLY effective solution is to cancel & reissue the card.

      1. Marius Telemacher

        Agreed. In the US, most Visa/MC transactions at less than $20 do not require a signature or ID at restaurants. Not a great way to use stolen card data, but still possible.

        Pretty sure mom and pop stores who have merchant service offering this “soft authorization” policy won’t check anything either.

  21. SooperJ

    No authorized charges yet on my Target RedCard, but have been on hold for 35 minutes using the 866-852-8680 number, the only number that I found working. Also couldn’t log on to my redcard account online. Be patient on the phone, there is a long period of phone ringing and silence.

    happy holidays yo!

    1. SooperJ

      duh, I mean unauthorized charges……..more coffee stat!

    2. RBBrittain

      I’m sure they’re swamped right now. Luckily I checked that site overnight (before Target confirmed the story), verified my REDcard debit card had no unauthorized charges, and changed the PIN as an initial step. (Though that’s NOT enough for compromised Visa/MC debit cards, it SHOULD be enough for REDcard debit even if PINs were compromised; they’d have to hack a central Target server, *not* PIN pads or store servers, to get to your account number.)

    3. CG

      Use the target mobile app or go to the mobile site. I was able to get to my information that way.

    4. SooperJ

      my connection to 866-852-8680 booted me off after being on hold for an hour. Sheesh.

  22. matt

    Not only did my wife shop at Target during the days in question, she opened a Red card. And guess where I cant login to check her Red Card for fraudulent activity: https://rcam.target.com/

    This is going to be a mess.

    1. RBBrittain

      I couldn’t either, but that’s predictable; everyone with a REDcard is trying to login at the same time. Try again later.

  23. Chris

    Target is using the Verifone MX 925 payment terminal. This device is certified PCI PTS 3.0 as well as EMV level 1 and 2. Interestingly this terminal is also multimedia device capable of displaying streaming video content and has a web development environment. I wonder if we are trying to make these devices do too many things.

    The device is supposed to be able to support a RSA tokenization solution that woudl eliminate any storage of card data on the reader or Targets servers. I’m guessing that this feature was not being used.

    No indication yet if this affected all terminals or just one at each site like Barnes and Noble.

    1. Wombat94

      Target does not have MX 925s at all locations, so if there is an issue with those devices, it would not be a universal problem.

      I know our local Target stores still have much older pinpads (I’m not sure what model/brand at the moment, but definitely not Verifone.)

      Having said that, I think it is very premature to be speculating that the MX 925 is at fault here. We work with Verifone payment terminals and, though they surely could be incorrectly set up, our experience with verifone terminals is that they are designed to be very secure. If chosen by the retailer, the MX series of pinpads have a secure mode where only code signed by verifone will be executed on the device, so it would be very difficult to get rogue code on the devices unless it was indeed an inside job.

      As with anything, the devil is in the details – which we will hopefully learn in the coming days.

      Having been through a recent (within the last 2 years) credit card terminal implementation for my employer, my gut says that this may be a matter of older pinpad hardware that is still out in the field being exploited – not the newer equipment, which would be more secure and harder to attack.

      1. RBBrittain

        The Targets in my area do *NOT* have MX 925 terminals.

  24. Debbie Fillmore

    Were social security numbers at risk here. A co-worker said she heard that they were. I wouldn’t think that would be information stored in the card itself. Thank you!

    1. Chris

      SSN is not stored on any credit or devit card, however if someone applied for a REDcard a the store they would have entered their SSN on the PIN pad device and possibly swiped their drivers license as well. It is not clear at this time of that data was also stolen, but it is a possibility.

    2. RBBrittain

      From what’s out there so far, there’s *no* reason to believe any SSNs are at risk. Target’s announcement is consistent with the early reports that only card magstripes were captured; SSNs should *never* appear there.

  25. Corey

    The MX 925 has a Linux operating system and is web enabled. Facilitating payment processing connectivity, another port was probably left unsecured which enabled the bad actors to locate the devices on the net, upload a virus, which waited for the holidays. I think Target may need to buy 8,000 new POS terminals and Verifone may need to change the devices default settings…. Horrible this happened on the holidays. Every single shopper will need a new credit card and an identity theft credit alert.

  26. Donna

    I have no fraudulent charges on my debit card (used twice at Target on Dec 11 and 14) but what I want to know is, when is my bank going to contact me about issuing me a new card? Why am I reading about this on the Internet this morning, when apparently it’s been known for some time to these institutions what happened? They should at least be sending out an email to their account holders telling them there was a breach and that a new card is being issued right away.

    1. RBBrittain

      Your bank will NOT know about it unless either you or Target have contacted them. The timeframe being given is when the BREACH occurred, NOT when Target (much less your bank) knew about it.

      If it’s a Visa/MC debit card (most likely from initial reports), CALL YOUR BANK FIRST so they can cancel & reissue the card. If it’s a REDcard debit card, call Target first (only THEY can cancel & reissue), THEN your bank.

    2. Jason

      They will wait until your card has a “fraudulent pattern” occur.

      Personally, I would call them up and tell them you have reason to believe your credit card information has been obtained illegally and that you want a new card number.

      As a credit card user, why wait to clean up when you can get a new card now? As a credit card company, they don’t want to issue new cards if they can avoid it as it costs them money. The fraud won’t cost them money as that gets passed on downstream, so they just wait for it to occur.

    3. Jim

      I actually broke the news for our institution (a community bank) and we proactively contacted our card processing company. No one notified us.

      Target’s presser may’ve said they:

      “…alerted authorities and financial institutions immediately after it was made aware of the unauthorized access…”

      They may’ve been working with the card processing companies, but no one had contacted our bank, that I know. We’re now pro-actively calling customers who used their debit card during the dates in question.

      Thanks, Brian!

    4. NotMe

      @Donna,
      My son was notified about a week ago. His bank called him and said that a retailer had been compromised and they were issuing new cards as a precaution. Target has known about this for awhile and reported it to the processing banks as per the contracts.

      If your bank has not taken action that should tell you something about how they treat their customers.

  27. Donna

    Hey Krebs – bug to fix. I just refreshed my screen and the field box for “Name” was populated with “Donna” and her email address too….

    Neither are mine.

    1. matt

      I just refreshed my screen and the field box for “Name” was populated with “XXXX” and her email address too….

      Neither are mine.

      Yup, same here. I actually assumed it was an IE11 issue.

  28. James

    I used my debit card there on 12/14. This morning I had a $1.00 auth from Hotels.com and I have never used Hotels.com so apparently someone was testing my account number. I have killed that card and ordered a new one.

Comments are closed.